What is identity? That's either an interesting philosophical question or a very annoying one or both--I can't decide. The one thing I'm sure of is that a lot of companies want to manage our online identities for us. Unfortunately, I don't trust any of them--at least, not yet.
Online identity is the core of electronic commerce. When somebody or some company wants to do business with somebody else or another company, it's all based on identity and trust. If I'm trying to buy something from you, I have to trust that you're really the business I think you are and that once I transfer to you the information you need to take my money, you will deliver to me what I want. And you trust that the transaction information is actually coming from me and not somebody who has stolen my identity.
Today, trust between two parties has to be established each time a relationship is formed. So I have one identity with Amazon, another with my bank, another with the phone company, and so forth. It's a pain to keep all these identities straight and to remember which passwords work for each. But there is an advantage to this madness: The identities are separate. If one account is cracked, the exposure of my identity should be limited. You can break into my Amazon account, but you won't be able to turn off my phone.
Passport to nowhere
In 1999, Microsoft launched Passport, an ambitious attempt to consolidate identity. The concept was that, once you were identified by Passport, you could move freely around other sites that were Passport partners. Your identity and authentication would go with you, and you wouldn't have to keep signing in. Nice idea and potentially convenient--but would you trust Microsoft, maker of the world's least secure Web browser and e-mail client, to keep this information safe? Neither did anybody else. Passport is no longer a serious identity play.
Would you trust Microsoft to keep this information safe?
But the idea of consolidated identity is not dead--far from it. The latest direction in identity is something called federated identity management.
The idea is that institutions--banks, businesses, and governments--will communicate with each other about your identity, using standards (that are still emerging) for the passing of identity and authentication data.
For example, a user who is authenticated on a commerce site would be able to go directly to a shipper and upgrade their shipping method without having to create a new account on the shipper's site. This would be possible because the shipper and the commerce site would have a relationship of trust between themselves and an agreement that users who were authenticated on one site would be able to do certain things directly on the other. In other words, Amazon would vouch for me on FedEx, even though I might not have a FedEx account.
But which companies are going to be the primary identity holders? I don't believe that holding identity is the right business for software companies, so I don't think this will be Microsoft's or Amazon's game. Instead, I'm looking to the banks. Identity has value, and we already trust banks to safeguard personal wealth. It stands to reason that in addition to acting as agents for our money, they will be agents for our identities.
Banking on privacy
Citibank is already running an intensive identity-theft advertising campaign; it's not hard to imagine the company offering consumers and businesses even more in this space. It's also possible that cell phone carriers will try to become key identity providers since an increasing number of services are going to be offered via cellular accounts.
If we're going to see our online identities consolidate, I'm in favor of the banks keeping the data.
If we're going to see our online identities consolidate, I'm in favor of the banks keeping the data and being the entities that other companies look to authenticate purchases I want to make. While today I still want to manage my own identities with the various companies I do business with, if somebody has to hold data about me that has value, I'd much rather put my trust in a company whose fundamental mission is, in fact, earning and keeping that trust.
* * * * *
Update: tempting fate
This is what I get for writing a column about backup: Last week, the hard drive on my IBM ThinkPad X40 crashed--badly. I couldn't recover a single bit from it.
The good news: I wasn't kidding about my ridiculously redundant backup scheme, and I didn't lose any of the work files that were stored in my data directory since I had them synchronized with my home PC. The bad news: Neither my Outlook archives (the messages I had filed away, not those still in my in-box) nor my OneNote files were stored in those directories and, thus, were not part of my daily backup scheme. Oops. I lost about a week of work in these programs, but since I've rebuilt the laptop, I haven't missed that data very much.
My lesson: Every once in a while, it's a good idea to audit your personal backup scheme. Backing up regularly and religiously doesn't do you much good if you're not protecting the right files.