I am more and more concerned about the relentless expansion of what Kim Cameron ‘tongue in cheek’ dubbed the NASCAR approach to Relying Party Single Sign-On on the Web. And its not the inherent ‘phishability’ of the method that Kim alluded to in his blog.
Even big daily newspapers like the New York Times and Los Angeles Times have recently picked up on this phenomenon. I have often wondered what economic laws drive this rapid adoption and why isn’t there a huge backlash against the privacy implications in all of this?
I remembered Gresham’s Law from my business school days explaining why ‘bad’ money drives out good money. In essence when governments reduced the amount of copper in the pennies they produced, we learned that the public hoarded copper pennies and only spent the lightweight ones. It struck me that ever since FaceBook relentlessly started pushing their lightweight (in terms of security) solution to the perennial WEB single sign-on problem; it has been difficult to sell more solidly engineered solutions to our customers.
It seems bad identity, like bad money, drives out good identity.
Why am I concerned? David Recordon tells us in his blog: “We’ve finally convinced businesses – which serve normal people – that having their users sign in with existing accounts is better.” But I am thinking: “Where is informed user consent in all of this?”
It may be a cultural thing, but in Europe we seem to abhor the relentless invasion of our privacy, powered by OpenID connect. At the same time, in the USA, companies like janrain are extolling the virtues of collecting a richer, more complete set of data and social graphs on users, claiming they can link together information about us that we perhaps would rather keep separated within different Identity Providers’ compartiments.
What prompted me to blog this post? Maybe is was watching ‘Erasing David’ yesterday night on Belgium TV. I was rather disappointed, but at the same time the film reminded me how difficult it already was in 2009 to push this particular genie back in the bottle.
Building a better solution is what motivates me every day working for Verizon Business, working on a better ‘safer’ solution. Of course at the end of the day my company is not a charity and we will have to show additional business benefits for our customers besides enhanced security. I think this added value can be achieved by putting our users ‘in control’ of their identities; by sharing the rewards of their explicit consent in opening their personal profiles to Relying Party businesses and not by treating our users’ growing profile value as just another ‘product’ to sell.