Identity, Single Sign On, and 'information gleaned for marketing' etc. are all different overlapping issues.
Truly there are almost zero situations in which an entity needs to know your real identity. You bank, surely, but you go into the bank to do that.
Single Sign on via Google and FB is now normative because they're ubiquitous and convenient, and of course, FB id's come with a greater possibility of legitimacy, and nice FB pixel marketing data.
I suggest that thre is something that could work, it just needs to be put forward by a credibly entity that for whatever reason feels it's in their interest, whereupon those interests are not entirely conflicted with the individuals right to privacy.
Identity is a somewhat philosophical and thus nebulous concept.
What is my 'real identity', honestly? How does a bank prevent me from opening an account in the name of my hypothetical identical twin if I borrow the appropriate documents? How would a government agency?
The reality is that identity winds up being evaluated as a relationship. My bank identity is as a particular customer, and me attempting to opening an account in someone else's name doesn't change that - rather, it is a sign I as a customer am planning to commit fraud. In some fashion, a process attempting to tie an interaction to an identity is actually attempting to tie behavior to consequences.
This made the article a bit difficult to understand - was the point that the sharing of identity, and thus trying to die back to one 'true/real identity', is flawed?
Or perhaps that this concept of local identity isn't always needed to perform a transaction - I don't care who a customer is as long as I know the information that I'm acting on is true?
Single Sign-on itself is an often abused topic - it generally means that authentication (providing proof that you correspond to a particular identity I hold) is reused.
However, Federation is the process of sharing that information across domains, and is usually done via protocols like OpenID Connect or SAML.
Google Sign-In, Facebook Connect, and other IDPs usually combine both - and the value comes not from signing in with google credentials, but that you often already are signed in with google/etc credentials.
The value you get back contains a subject attribute, which is a unique (possibly globally, or perhaps only within your service) identifier for the user account upstream. This value is what turns these social logins to an authentication for your own site or app.
At the minimal level, the information leakage is mostly to the IDP - they see where and when you are authenticating. However, the IDP is free to offer whatever additional attributes and authorizations they decide to - verified email addresses, API access to user data, and so on.
Possibly, the IDP even shares some piece of information your service might rely upon because you consider it the user's 'real' identity.
I don’t think that FB itself is necessary, but many services rely on the ability to have a cheap identity verification. Let’s take three examples.
Dating apps now almost all depend on you connecting either
- a social media account, almost universally Facebook in the West;
- credit card information. Not everyone is comfortable with that one.
If a user doesn’t connect, most services implement some soft-gating to prevent abuses of trust. Uber, for instance, let an established user order a ride without having to input a bank card when their previous card was expired.
A large part of political communication relies on having a reliable proxy for an identity for campaigns. It doesn’t have to be perfect but it can’t have 50% of Russian sock-puppets. Even if Facebook Identity has been disputed, it remains far more reliable than, say, Twitter in that regard.
You might not use any of those services personally but you rely on people who do. A society where people can’t find a partner because dating conventions are broken; where everyone has to own a car; where democracy is at the mercy of press barons -- that would be problematic.
My point was less that Facebook was the best identity, or irreplaceable (which is certainly not true; more than any other message, Mark Z. repeats all the time that Facebook will be replaced sooner rather than later). Google offers one that I think has strong software support, but less social proof. My point was that most people are unaware of the impact of having that option of a “Trust API”, even imperfect. You didn’t seem to.
Some people would prefer to have a government-operated identity or a bank-based one; those are actively developed in Nordic countries. I have used both and I’m in awe of what they unlock.
Some people (quite common on HN) hate the idea of depending on either and would prefer to rely on a system that they built or on have a choice of private solutions around a cluster of standards. OAuth is the best example of that vision. I’d love to see something more mature emerge (if anything so that not every website relies on the broken password authentication). But once again: even if the software works, I think the main benefit is less from token exchange and more from authenticity. I’m not sure that a cluster of service can guarantee that.
Doesn't matter which large company "gets" it -- what we really need is a good, decentralized, easy to use, open, optionally-anonymous identity system on the web. Easy-to-use being the key feature.
Until that happens, whether it's FB or Google or whomever else, we're stuck as the "product, not the consumer" (as Arrington correctly puts it).
A lot of time you don't need to identify people, you just need unique accounts. There is no fundamental need to have one identity linked on HN, reddit, Facebook.
Ah, I see. I was implicitly assuming that the parent's other requirement:
> different pseudonyms available that __don't reveal your 'true' ID or other pseudonyms to the site owner__
(which isn't offered by Facebook—right?—and which does require trust in the issuer) would be part of the putative Google Identity.
On the other hand, having spent this much time arguing that it wouldn't happen, I'm now wondering why OpenID with Google as 'vouching agent' (or whatever that part is called) doesn't count.
The problem with the multiple-vs-unique-ID debate is that people tend to ignore what these systems are really built for: data mining, behavioural analysis, targeted advertising etc.
Users will agree with moot that separate identities are better and safer, but this is not how the real FB/Google customers see it; advertisers and marketeers want to know that user-A is an engineer AND loves cooking AND has a pet AND goes on 4chan.org/tv, not just one OR the others.
That's why FB/Google try so hard to reconcile all your activities under one ID: to better represent the unique intersection of interests that will be resold to marketeers. Any feature they implement to "manage your faceted identity" will only give you an illusion of separation, and will inevitably link all your activities anyway, because that's necessary for their business model.
Note that this is not a rant (I use FB and G+ every day), I just think this point tends to be overlooked when talking about "social" websites, almost like it was not polite to point out where these businesses make their money.
Oh. In Single-Sign On / OAuth terminology, the bank’s website is the Identity Provider (IdP).
Banks in the US depend on government-issued ID and information contracted from credit bureaus (3 big companies that are effectively data brokers about consumer lending behavior). We have federated identity, but in a weird, ineffective way.
Every once in a while, someone bold makes a political proposal to make our authentication / identity proof systems simpler, but then people realize the privacy implications (and religious fundamentalists point to the “mark of the beast” part of the Bible) and then the proposal doesn’t go anywhere.
The thing about a single online Identity is that there should be no way for it to be revoked against the will of the person it identifies. In real life I am who I am, and unless I choose to change that, no-one can legally take my identity from me.
There's been too many horror stories of people being locked out of their Google or Facebook accounts by Google and Facebook, even for the most minor of infractions, and that person immediately also losing access to to all the other services they used 'Sign in with...'
Until this problem is solved, I will never switch to a single online Identity for access, and I certainly will never use my Google or Facebook account to register with third party services.
You can already sign up for a bank account online and prove you are who you say you are by inputting enough personal information so they can verify you.
Sure there is potential for identity theft but much less so than with what they are proposing now.
As far as single logins, there is already a well established solution with OpenID, OAuth, and the Log in with Facebook / Twitter style logins.
Ah, okay, you were referring to identity in the technical sense rather than the social sense. I agree that increased adoption of OpenID or Persona would be great. Persona holds the most promise in my opinion, since it's similar enough to existing sign-in systems as to not confuse the average user... but it does require providers to actually use it.
I think this idea is something that many people are dreaming/afraid of. I see myself among the former. Just like using a finger-print, an iris scan, face-recognition, the ability to readily identify users is something I dream of. It would reduce the friction in many cases.
Just imagine you don't have to carry around all your loyalty cards, the tailor at your store immediately knows your size, you fill out a standard form very easily.
It's one of these things IMO that would create much joy and convenience in the world. People however rightfully criticize the possibility of abuse here. Indeed, having ready access to identity is something not easily to digest to many that love the anonymity of the Internet. Many open initiatives like OpenID have not seen the coverage needed to make such a system happen on a broad basis, Facebook Connect is probably the closest solution. Mozilla BrowserID is the next ambitious project that tries to tackle this space, however I question whether one could ever design an identity system, or whether it just "happens" like Facebook and Twitter showed.
It makes me wonder why identity has to be a centralized government thing. For most purposes, my google account is my primary identity. If I forget a password, resets go there, so it's my foundational identity online. Per-purpose identity seems like an okay thing. I could have a financial identity, and gaming identity, a communication identity, etc. Just like the government doesn't need to know what I own on steam, it doesn't need to know my credit score. And just like steam doesn't need to know my drivers license/social, maybe my bank shouldn't either?
Writing this, I'm realizing how closely identity and privacy are related. For any transaction with memory (like games I buy on steam) there needs to be some identity. Connecting that identity to my other identities is a privacy question. We're probably at a tipping point where we could go either way next. It scares the crap out of me to think about it that way.
That's a fair point. However, identification is not only about uniqueness, it's also about proving that you are who you say you are, which still requires a central authority -- or maybe another un-fakeable certificate, although I'm not sure how it would be implemented without depending on another type of identity (such as email).
Identity is basically a combination of certain Verified Claims about yourself, signed by some third parties. Given enough of these, you can uniquely identify one or a few people in a given population.
These are all things that we should have a say in how they is used, instead of unilateral usage by third parties such as credit reporting agencies, social networks and banks.
We need to fund tech that gives us the power over our own identity! Like telling friends who you are on some networks and not others, instead of Instagram and Telegram assuming all your FB friends or phone contacts should know.
I like Mozilla’s fund too. I like NIST’s NSTIC grants. We need more!
Identity is important for reputation and so on. But we have to unbundle the claim verification service from the certificate, we should make it so you can’t be tracked between domains. One Government ID or Facebook ID for everything may be one of the least libertarian and least secure ways to do it.
You don't have to force it either. It could be an option. And if it was well-designed, it could probably be made so that it was only pseudo-identification, e.g. where the site knows you're a real person, but not which one, and where the issuer knows you have an account on the site, but not which one.
Of course decentral identification is preferable, although not having too strong identification is a feature too. Of course giants try to get into the business of identity providers. This is a standard strategy of tech, image the business opportunities aside from providing security. It isn't conspiratorial at all, this has been going on for a while and everyone should take a close look here.
I don't want to ID against Google, Facebook and co. Doing so would mean they know exactly what services you identify for.
What is the major benefit of something like this? I can't think of a single transaction I've undertaken in the past few months (either online or offline) where it would have been to my advantage to authenticate my real name. I frequently need to authenticate an ongoing relationship (my gym membership, logging in to Amazon Prime), but in none of these situations does it matter who I am, just that I'm the same person I was before. Generally those counterparties get that information anyway, but I consider that information leakage an artifact of the authentication process, not a beneficial feature of the system.
We already have solid methods for identifying ourselves as the same person as we used to be (various public keys, for example), and if we want to establish a consistent identity across multiple contexts/domains, we also have that option. This really doesn't benefit consumers in any way.
To be clear, I was referring to one federated identity that everyone would accept, as it stands there isn't a single, federated identity provider that Apple, Facebook, Google, Microsoft, Amazon, Bank of America, my power company, etc and so on will all accept. I'd like to secure one spot on the internet as an identity, a digital passport of sorts, and secure that heavily then have it log me in to everything. The closest thing we have currently to a digital identity is an email account, but we should really move past that.
Truly there are almost zero situations in which an entity needs to know your real identity. You bank, surely, but you go into the bank to do that.
Single Sign on via Google and FB is now normative because they're ubiquitous and convenient, and of course, FB id's come with a greater possibility of legitimacy, and nice FB pixel marketing data.
I suggest that thre is something that could work, it just needs to be put forward by a credibly entity that for whatever reason feels it's in their interest, whereupon those interests are not entirely conflicted with the individuals right to privacy.
reply