The landscape below the internet identity standards war has shifted and it is notable how little comment this has raised among the mob of identity bloggers. Two things have happened. First, is the arrival of in the US of a manditory national ID card which is likely to be chock full of wild and crazy technological gadgetry. The second was the public revealing of Sun and Microsoft ongoing work to bring their identity product offerings into alignment.

Both events were in the air, both seem inevitable. Like the California earthquake. Let me take a very rough and very sloppy run at teasing out what’s really going on here.

The national ID card being brought to live by forcing states to adopt standard driver’s licences. These are likely to be choke full of this years technological widgetry, i.e. RFID tags and such. Technology like this thrives if it finds enthusiastic hosts and these widgets have found lots of those. They have been been spreading very rapidly across the installed base of entities with minimal privacy rights: kids, cattle, shipping containers. There is a huge enthusiasm in our culture for using technology to enable club gate keeping. So there are hordes of folks out there who have problems they want to solve with these toys. Highway toll keepers, prisoner’s on work release or house arrest, owners of clubs and bars that want to keep children out, financial institutions who want stronger authentication. While there is a vocal and concerned community warning that these toys and the systems they enable carry a lot of risk of damaging our social fabric that community hasn’t found a way to get a seat at the table.

The Sun Microsoft story can be read in two ways. The standard media narative has had Sun/Liberty v.s. Microsoft. If you need to maintain that story line then this is truce, defeat, or something. I don’t think that’s the right way to read these tea leaves. I think this is a story best understood by introducing another player: the buyers. Buyers do, sometimes, have some power. The buyers in this case are the CIO/CTOs of huge firms. These folks have a huge amount of pain around issues of intra-enterprise and inter-enterprise identity and data exchange. The buyers are got sick and tired of waiting on the vendors to get their act together. They need highly open dependable solutions, solutions that are not owned by one vendor. I believe that they began put pressure on Microsoft to find common ground with the folks at Liberty. Of course, that was one of the options the Liberty organisers created when they set up the effort.

I do not think that either of these events mean the standards war is over. Some days I think this could be a 100 year standards war. Lots of reasons why this story is going to have lots of chapters. The drivers licenses are amazingly expensive and states won’t swallow that expense without a fight. The huge internet portals like Google, Yahoo, AOL really haven’t entered the standards game yet in a meaningful way. The huge population of tiny web sites don’t have a useful solution at hand. We don’t know what the phone companies and credit card companies are going to do. The whole nature of how we as a culture reframe our privacy in the modern age is totally unclear.

Now, I doubt either of those stories I just constructed off the top of my head are particularly accurate. That they have garnered so little comment from the identity bloggers is a shame. They need a lot more careful picking apart than they have gotten. One way or another, the landscape is now fundimentally different.

Microsoft has been having a lot of trouble recently with identity politics. They appear to be swinging back in the right direction. But is Kim Cameron of Microsoft going too far? Booking a room? Looking for a bottoms up solution?

I think of Double Click as an identity company. An intermediary that builds and brokers models of users.

The clever bit in their approach is that they build these models without having to solve two of the hard problem two problems. They avoided the problem of getting the installed base of client software to change. They avoided the problem have building strong respectful relationships with the users being modeled. You could argue that they turned both these problems on their head; leverging both turning them into advantages for their business.

These problems are both of a kind. They are both hard because the numbers are huge and the benefit for solving them one user at a time are low.

These probelms have a facinating complementary nature. People who work on identity tend to focus on one or the other. People who focus on the need for vendors to create really strong relationships of trust with their users tend to roll their eyes when you suggest impoving the installed base of client software. People who labor to raise the bar on the client side tend to paint stark exagerated pictures of how nieve it is to expect to ever create high trust relationships between weak users and strong intermediaries.

Of course it is the lack of any relationship with the users being modeled, that makes DoubleClick smell so evil. That they conspire with sites to leverage client software cookies enable their model building is just the means of that evil.

I see they are in play.

Here’s a puzzle. If you were king of DoubleClick could you create the missing solid user relationship.

Notice one more thing. A third hard problem in the identity problem space is how to create the governing rules for your circles of trust. Note: DoubleClick has proably got the largest existing “circle of trust.” Good use of scare quotes, huh?

Is there a useful distinction to be drawn between features that enable the user to manage multiple persona and features that assure the user’s privacy? I’m reasonably certain the answer is yes.

Part of what makes these two problems, persona and privacy, appear to be identical is nature of the net where everything revealed runs the risk of being very widely broadcast. Part of it is the way disk drives strive to never forget. The context raises the stakes and that feeds into to exaggerated thinking.

One example that would tend to suggest the answer is no is group membership. As a member of a group you take on the persona appropriate to that group. For example you might join a garden photography group. The persona you would present there would be public. There is nothing particularly private about that persona. The tools for such a site would want to labor more toward helping you manage that persona and less toward keeping it private. For example it would be odd for that site to demand that you sign off prior to anybody viewing your contributions.

Possibly the right way to think about this is that privacy is just one element of the tool suite people need for managing their persona. In that framing privacy needs to negotiate with other features in the design space. As a site designer your goal is to craft a vibrate site with large numbers of users engaged in a high volume of exchange.

It is hard to have exchange in a high privacy system. A large site has to capture a strong network effect via exchange. But a large site also wants to create a complex relationship with the user. A complex relationship with the user – i.e. they want the user to park a well chuck of their persona at the site.

This line of reasoning came out of wondering why sites don’t support multiple persona for their users. Why for example doesn’t flickr or yahoo allow me to casually manage N persona? When I bring up the question people often fall into a discussion of privacy. Which is fine, but wasn’t what I was thinking. I was thinking more that a user at flicker, say, might want to serve different audiences with his different persona. His I love to find curious wild flowers nature photographer persona presented entirely distinct from his famous geeks at conferences paparazzi persona.

If he makes a living at both persona then keeping them separate is not unlike the way a firm keeps it’s public presentation of brands separate.

But it’s not really about privacy; it’s about what tools serve the maintenance of the distinct persona. The privacy question is just a sort of worse case aspect of that and in many cases the worse case isn’t really that big a deal.

In the midst of a delightfully shrill posting we see Ross Mayfield yearning to authorize two vendors he uses to share data about him. What some of us call linking accounts.

Tivo and Netflix Need Each Other: Why don’t they know what movies I have rented or watched? If it’s in my rental queue and I saw it for free on cable, spare us both the hassle.

That’s exactly the kind of thing that Project Liberty and more recently SAML have been trying to enable. One user with two account relationships. Two firms with info about their users. Information they would love to exchange to make those users happier. Serious issues about what embarrassing viewing habits Ross has that he probably doesn’t want getting passed around the internet rumor mill. The firms are just as worried about their secrets.

We can solve this problem. The two firms negotiate an agreement about data sharing. Ross gives his permission to allow his personal data to be shared. Everything necessary to do this is available today. The plumbing isn’t hard. Blocking out the orchestration of the deal is straight forward.

It remains hard getting a legal framework (and that’s what the term circle of trust means) that is robust and reasonable for all three parties.

One of the popular moves in the identity standards war is for one or another player to step forward and announce that they speak for the little guy, the individual. Me thinks we should take these assertions with a grain of salt.

It is a good thing if each participant in the design problem makes a Herculean effort to appreciate the goals, desires, needs, abilities, etc. of the other players. The end users are a hard constituency to satisfy for numerous reasons. Changing their behavior is really hard. Creating a reasonable UI metaphor for the users is hard. Shifting the installed base of phones, wallets, pdas, and personal computers is hard. Overcoming their natural paranoia is hard. Any participant who fails to appreciate that the individual users are probably the most difficult of those players to satisfy isn’t taking the problem seriously.

It is a good thing when each participant is clear about what his goals and constituency really are. It is a bad thing when participants pretend their constituency is one thing when it is in fact another.

When participants in the joint effort of solving this problem assume the role of spokesman for the little guy they become his agents. We do well to look at that agency with care. Absolutely all the players in this design space play this card. I don’t think I have heard anybody outline a design without uttering a phrase like “we put the user at the center, in control of his identity.” Consider a few of the major categories of players in this problem space. The payment’s industry, the telecom industry, the phone/pda/pc OS industry, the server industry, the retail channel industry, the technologists, the governments, the entrepreneurs, anybody with a huge set of account relationships, the privacy advocates. The question arises who elects who king?

What legitimizes that presumption of the role of agency? Market power? Electoral power? Rapid innovation? Strong arguments? Transparency? Interop-testing? Clear IP rights? A process with good checks and balances? The enthusiasm of the right players? A professionally and broadly participatory standards process. Obviously all of these things. What we don’t know is what proportions of each is required.

The rhetoric of putting the user at the center runs the risk of being hollow. At worst it is disingenuous. At minimum it diverts our attention from the complexity of seeing the needs and requirements of the other players in the problem space. You don’t solve the identity problem without bring most of those constituencies along. What we don’t know is what proportions of each is required.

Each time I hear one of the players announce he is putting the user at the center I can’t help roll my eyes. Let me pick on Microsoft, I’m sure it won’t hurt won’t hurt the big old monopoly’s feelings. When Microsoft talks about placing the user at the center what do I hear? First off I hear the echos of the 80s dream, that the personal computer will empower the the under served little guy; ripping power from the hands of the computer center. Then I hear the passion of the UI designer selling his wares. “Ease of use.” “Ease of use, damn it!” He chants, he rants. I hear the a delusion, that the PC monopoly can still set standards like this; that’s not true anymore – the browser war demonstrated that first. That the installed base now includes things like smart cards and telephones only makes it less credible today.

But mostly I hear a classic example of agency. The presumption that a product manager is a legitimate agent for the customers. Product managers aspire to that, great product managers get close. But never ever does a product manager become legit. A product manager is always absolutely the advocate of his product. Microsoft’s product is the OS and when Microsoft says they wish to put the customer first they run very close to becoming illegit and disingenuous. I find myself thinking – great it’s browser war time again; instead of solving the problem we will have the identity version of the HTML tag battles. For example if UI is key, which it obviously is, where is the open transparent legitimate process for getting that widely deployed?

What I like in some of Microsoft’s current rhetoric, well Kim’s rhetoric, is the emphasis on the seeking the “identity big bang.” That should be our common cause. Players in this space should stop pretending they are legitimate spokesmen for other constituencies and substitute in it’s place a clear and transparent statement of what they believe they are doing to bring each and every one of the necessary constituencies into what we hope is the comming big bang.

I don’t get it. Consider this wonderful quote via Ars Digital:

Microsoft has been tracking this information for years through its various sites, including MSN, Hotmail and others, keeping a vast database on tens of millions of individuals, each assigned a user ID Microsofties refer to as a GUID, or global user ID.

How refreshingly straight forward that is.

The drivers for this kind of stuff are very strong. The demand for models, even lousy models, of users is high. The cost to accumulate them is very low. All the major web properties must have this kind of data and the skills to do the model building aren’t rocket science. Amazon is quite up front about it. Double click and others have has been doing it for years.

So I don’t get why this doesn’t appear to be more wide spread and obvious a practice. I shop for tires, say, I don’t currently see tire ads appear through out the rest of my day’s browsing. Why not? Don’t get me wrong, I’d love to find some scheme to temper this erosion of privacy; but that doesn’t mean I’m willing to pretend I don’t see how strong the drivers are.

The question faced by all these operations isn’t persay about privacy – they are not in the privacy biz. Posssibly it’s about a combination of social contract and market maturation. But that doesn’t really explain why the feedback loop closed yet? I reveal a clear demand signal, for tires, but the advertisers are not receiving and actting on that signal. The data is there, the demand is there, so where is the breakdown?

Amazon demonstrates that you can close this loop. If I reveal an interest to Amazon they rapidly customize things to address my presumed desire. It’s actually kind of fun to toy with them. They have solved both the technical and the social problem. As far as I can tell eBay hasn’t.

Why haven’t the big site independent advertiser brokers (google, double click, etc) closed this loop. I guess there are three hypothesis. A. They have and I’m just blind to it. B. The market just hasn’t gotten there yet. C. There is some social contract they haven’t figured out how frame up right. The difference between B and C is slight; one is technical engineering and the other is social engineering.

I don’t get it.