Identity, Facebook, Google, Linkedin, the Government

There is an interesting post by Om Malik over at GigaOm suggesting how Google can get it mojo back from Facebook.

Taking a slight spin on this, I make the observation that a large part of Facebook's value is your identity and your associations and Facebook's willingness to leverage this information elsewhere on the web (Facebook Connect). Facebook Connect is becoming the most common way to login to other sites. The reputation of your identity is increased by your associations: it requires a consipricy to create a fake Facebook account and have N friends, the presence of which increases your identity's reputation.

In reality Facebook only has a subset of my associations. I only associate with friends through Facebook, and not with business associates (though I understand others do add business associations). Compare this with Linkedin which has more business associations, but also has friend associations. In fact Login with Linkedin is starting to be used as a form of login, just like Facebook Connect. Login with Linkedin could become a very interesting play.

Back to Google, my address book may be the most complete list of associations that I maintain and this could be a powerful asset for Google to exploit. Google has access to this address book via gmail and other applications (eg. Android). I sync my Mac address book with my gmail address book. The challenge is to figure out how to leverage this to build a stronger, more ubiquitous identity. I'm not suggesting the answer, but Google is in a good position if they can figure this out. They need to both strengthen the reputation of Google identities and get more people to have Google identities, while at the same time understanding the use context (e.g. Facebook for social, Linkedin for business).

The article I referenced at the beginning of this post has some suggestions about how Google should become more involved in communications, as opposed to just email. In all of this, how does Google strengthen the reputation of their identities? Right now anyone can create a Google ID, through gmail, and add a list of email addresses to their address book, but these addresses do not in themselves create strong associations. There are several ways to strenghen reputation.

The first is by establishing an association graph. If Alice and Bob send each other email, and Bob communicates with a known valid identity, you establish an identity graph. Whether Google could use such an approach is an open question, as there are privacy issues to consider.

The second is by increasing the richness of identity information. Right now my gmail account is my name and email address, but does not include where I work, went to school, etc. These facts would increase the reputation of my identity and its value to third parties. [Update: Google Profiles has recently been introduced would help to address this issue if users could be motivated to provide this information.]

The third is by using of your Google identity in commerce, such as through Google Checkout. PayPal has two levels of identity: the higher level involves having verified your identity against an actual bank account. PayPal does not have the equivalent of a PayPal Connect (they do support OpenID and Infocard), but Google does. And Google could similarly have identities with different levels of vetting.

Lastly Google should be looking at their other services, existing or in the pipes, and finding ways of increasing the strength of their identities. One example is their online health records initiative because you can be sure of the identity that is being used to sync with 3rd party data sources.

How Google can increase the value of Google identities, maintain anonymity for gmail users that wish it, yet indicate the reputation of an identity for third parties without adding complexity is an interesting navigational challenge. Google Buzz and Wave were two attempts at creating greater use of Google identity, and they both failed.

Adding another spanner in the works are what I call natural identities, such as government managed identity and your bank identities. These are natural because banks and government are natural identity authorities. Overseas, governments have stepped up to provide national identites, backed by identity cards. But identity cards are not always flexible enough to be used to login to social web sites, nor would you want to use a government identity for this purpose. The U.S. Government has thrown it's hat into the mix with a proposed National Strategy for Identities in Cyberspace.

I welcome the U.S. initiative on this count: it proposes to address how to make identities interoperable without stipulating what identity to use. Right now you need a Facebook Connect button, a Login with Linkedin button and a button for every other identity that you might login with. You also need to support the protocol for each of these providers (e.g. OAuth 2.0 for Facebook). This does not scale, and serves to shut out smaller identity players. These mechanisms are also not secure from cross site scripting, phishing and other attacks. Embedding login from one domain into another domain, as is done by Facebook Connect, is simply not secure.

There have been failed attempts at resolving identity interoperability. OpenID tried and failed because the user experience sucked. Microsoft Infocard failed because it was from Microsoft and it sucked. Even VISA has jumped into this space, but for payments rather then for identity generally. I personally developed a scheme that didn't suck and that used Flash for security sandboxing while working at Adobe. What sucked is that I worked at Adobe when I did this.

If the National Strategy initiative can improve identity interoperability and security this would be great. I'm not sure they'll be successful. I think they are overreaching by looking at secure sharing of identity attributes rather then just focusing on identity true or false. Infocard and Higgins both focused on sharing identity attributes (e.g. tell this site I'm over 21, but nothing else about me). Though this sounds like good functionality, it also reduces usability because it may require that you ask the user more questions: One thing we know for certain is that users will click through whatever is in there way of getting to where they want to go.

It is interesting times in the identity space. Identity experts, including myself, have talked the talk for many years yet come up with little to show for it. Facebook Connect steps in and looks like they are making identity out to be one of the single most important properties on the internet. Google and others struggle to maintain pace. Yet all of this is being done in a less then secure-for-commerce sort of way, and that gives me pause.