All these technology and information-flow and money issues in the Federation Conversation are real, they matter. But none of them matter as much as trust. For flavor, here’s commenter Dewald Reynecke: “I don't trust Facebook/Google as far as I can throw them — I simply do not want to outsource my identity to an advertising company.”
Everybody has to trust somebody sometimes. But the Internet and the world are scary places; mistrust is a healthy component of sanity.
And it’s complicated, because it isn’t just people trusting (or not) Identity Providers (IDPs) and the apps using them. The apps and IDPs have trust decisions to make, too.
Your checklist · As in, how are you going to decide whom to trust?
It’s complicated because there aren’t any pure IDPs. Last time I saw numbers, the four biggest were Facebook, Google, Twitter, and Yahoo; each built its IDP service to support its mainline business. And because of the mainline businesses, each already knows a lot about you.
Which isn’t necessarily bad. What’s bad are surprises; anyone can lose your trust instantly and irrevocably by sharing the wrong things in the wrong way, when you weren’t expecting it. When it happens enough times, you can lose the trust of whole populations.
Mr Reynacke, quoted above, distrusts IDPs specifically because they’re advertising companies. Fair enough, few people love the advertising biz; but I think he’s in a minority in taking it that far.
I personally would love there to be a first-rate standalone IDP that didn’t do anything else, pure identity-as-a-service. If I could think of a business model I’d do a startup in a heartbeat. But I can’t because I suspect most people wouldn’t pay; they’re just fine with getting one-click IDP sign-in magically paid for with someone else’s ad dollars.
Also, I’ve occasionally thought that this is the sort of thing that a government department should offer as a service for citizens; but that was B.S. (Before Snowden).
So when you make your checklist for a trustworthy IDP, I suspect only a few would put “not an advertising company” on it. Here’s my list:
Hasn’t abused my trust in the past.
Has a simple business reason for wanting to be an IDP.
Has a decent business and is apt to be around for a while.
Is technically competent and hasn’t been embarrassingly hacked recently.
Is smooth and fast — gets me signed in with hardly any clicks, and no confusion.
What’s yours?
And another question: Is the trust checklist any different for the apps using the IDPs to get you signed in? (Not for me.)
The apps · I generally don’t believe in the old OpenID dream that anyone could show up at any app and say “Here’s my IDP, trust it.” Because it’s hard to convince lawyers and policy people that that’s a sane idea. (Disclosure: I’m sort of with the lawyers here.) So I suspect that we’re looking at apps having IDP whitelists. If you’re a developer, you might be making one soon for your app.
I suspect that an app’s trust checklist for IDPs looks a little different:
Is generally trusted, rather than feared or scorned. (Which is to say, includes the individual’s checklist above by reference.)
Has good signin-approval rates. (Which means, among other things, “Is generally trusted...”)
Is willing to give me valuable information about my users. (But without forfeiting their trust along the way, which means transparency and ethical defaults.)
The IDPs · We have to exercise our trust muscle, too. In particular, we have to decide whether to trust apps. Since people don’t read approval screens, we know that apps will usually get the information they ask for. Some will ask for too much, then abuse it.
And so we probably have to pretend it’s our responsibility even if we and everyone else was playing by the rules. Thus a good IDP has to be looking at approval rates and a bunch of other diagnostics, and deal with loss-of-trust situations. [Have I mentioned that being an IDP is expensive?]
Trust isn’t free · It’s not even cheap. You shouldn’t be too eager to give it, but paranoia isn’t a quality-of-life booster either.
I’ll tell you who I don’t trust. I totally don’t trust all the millions of apps out there to take good care of getting me signed in old-school, with yet another password for each. What a goofy idea.
Contributions
Comment feed for ongoing:
From: Vinay (Sep 25 2013, at 13:44)
If I create a unique password for one of the millions of apps out there, I only have to worry about that application being compromised. Similarly, if that app does something that breaks trust, I only have to worry about them sharing something I've already shared with them.
IDP+ (IDP plus ancillary social data) have a lot more: they have social data, they have what sites I visit, and they have a lot of users.
Even if I trust Google (or Facebook or Yahoo!), I have more worries about them. I'll grant you that they will do a good job with the technical implementation and management of an IDP. They're still a bigger target than the fly-by-night application. They still have more data on me.
A trust violation (whether intentional or by accident) by an IDP+ affects me a whole lot more than a tiny app does.
[link]
From: Ed Davies (Sep 25 2013, at 13:46)
Why are arbitrary IDPs any harder to justify to lawyers and policy people than user names and passwords?
Clearly Google would love a fairly closed list of IDPs and I rather suspect they might get it in practice but I think that they should be required to justify it really clearly.
[link]
From: Michael Zajac (Sep 25 2013, at 15:09)
I would add to the checklist: not beholden to a foreign government. At least within our own borders, I have some reasonable expectation of respect for my privacy and other rights. (Obviously, this is not applicable in some countries.)
This is the kind of thing Canada Post could be doing. Sadly, their response to the Internet is asking Canadians to accept junk mail.
[link]
From: Russell (Sep 25 2013, at 15:17)
If I was using and IDP I would want it to be a company that only provides identity services and charges an annual fee. I use an email provider that charges an annual fee and only provides email. It's a simple business model that has existed since the dawn of time, and that I can understand. I don't have to guess what their motivations or interests are. I would also want my IDP to not be located in America. I don't live in America so why should I store my data there and be subjected to their laws. I would want my IDP to be located in my own country because my country has better data privacy laws than America (particularly for non-US citizens), and if I have an issue with the provider it is much easier to resolve issues with a company that is located in your own country. Just try getting a refund for a faulty item purchased online from overseas, as an example of this..
I also like the idea of providing supplementary data (such as my DOB, address, contacts list, hobbies, favourite colour, etc) on a site by site basis and I'm always happy to have to manually type this stuff in over and over again. Typing it in each time allows me to verfiy it and make sure that each piece of information is relevant and necessary to the particular website I'm using. I also like being able to customise, falsify, synthesize the data for each site.
Individual logins for each website, or identity providers that only provide identity is the way to go. Mega-social-advertising company based IDP is not for me.
[link]
From: Darren Chamberlain (Sep 25 2013, at 15:49)
> I personally would love there to be a first-rate standalone IDP
> that didn't do anything else, pure identity-as-a-service. If I
> could think of a business model I'd do a startup in a heartbeat.
> But I can't because I suspect most people wouldn't pay; they're
> just fine with getting one-click IDP sign-in magically paid for
> with someone else's ad dollars.
This actually *is* a service I would pay for, and I think it makes
sense bundled with a VPN service.
[link]
From: Janne (Sep 25 2013, at 17:54)
I'm with Vinay above: with separate logins risk is spread and trouble is contained. If an IDP decides to dump me as a user or something I could lose access (and data) to potentially hundreds of sites at once.
With that said, one more item on the checklist:
- Based in and headquartered in the same jurisdiction where I reside. That means they and I are on the same legal page as far as what they can and can not do; and I will have practical means of asking for redress in case they do not follow those laws.
[link]
From: John Cowan (Sep 25 2013, at 19:49)
This may sound goofy, but I think banks would be good at this. In the last decade or so they've gotten a fearsomely bad reputation for cheating customers on the financial side, but not as far as I know for leaking their personal data. There was a big leak from BoA back in 2011, but that was done by a corrupt employee; the bank's interest was definitely not aligned with his, as they ended up having to reimburse customers for unrecoverable losses. No IDP can guarantee the trustworthiness of its employees over time.
When I wor a lad, some 30 years ago, I was working for a bank, and my boss's boss was an old techie who had switched to management to protect younger folks from the incompetent managers he had had to put up with. He asked me one day, "What do you see banks doing in fifty years.?" I replied promptly, "Keeping people's private keys secure." He nodded.
[link]
From: Matt Whetton (Sep 26 2013, at 03:58)
I'm definitely not worried about trusting my identity to an 'advertising company' - at least their agenda is clear.
What worries me (to some degree) is that if one of these big 4 IDPs is breached the scale of the damage.
I also feel a little uncomfortable in that there is little publicly available auditing information from these providers.
[link]
From: Daniel (Sep 26 2013, at 05:03)
Please explain how a whitelist is good for anyone but the few Big American Businesses that would end up on it.
A.S. that seems like a *very* bad idea to me. If I wont be able to sign in to *any* site without a Google/Facebook/Yahoo/Microsoft/Twitter account, the whole idea of federated identity is dead to me.
And after the whitelist would have stabilized, there would not be any reasonable way to enter the IDP market, because everyone would always need to subscribe to one of the IDPs already on the list anyway.
[link]
From: Peter Rushforth (Sep 26 2013, at 05:07)
I more or less trust the motor vehicle branch. I more or less trust OHIP. All of these services can be infiltrated, yes, but the *bank* asks me for my drivers license, my birth certificate (provincial gov) etc. So those are the identity providers I trust. Certainly not Google, love them as I do. I mean it's their business to exploit personally identifiable information, and I understand that, but it's not a good fit for an identity provider.
[link]
From: Duncan Cragg (Sep 26 2013, at 07:44)
Government: here are two links about the UK's rather revolutionary ID Assurance project:
http://digital.cabinetoffice.gov.uk/category/id-assurance/
https://www.gov.uk/service-manual/identity-assurance
It will allow access to Government services via a Government-run hub that lets you choose from a set of Identity Providers.
They're building it a desk down from me, and it's looking good from here...
Regards, Duncan
[link]
From: Daniel (Sep 26 2013, at 11:39)
(I tried to post this right after my previous comment, but got some error message.)
How is "Here's my IDP, trust it" any different than "Here's my email and a random password, trust it" that lawyers and policy people have accepted before. I really wonder this, so I guess it is some part of the implications of federated identity I have not understood.
[link]
From: hawkse (Sep 26 2013, at 12:40)
Sorry, simply don't want federated login.
Had your comments required G+ or been driven by that disqus thingie, I wouldn't even write this. Even that is too much of federation for me.
The IDP whitelist scenario sounds like the death of the free internet if you ask me. It simply raises the bar too high for the small guys to even enter.
[link]
From: Larry Reid (Sep 26 2013, at 17:56)
I came to comment on the question of whether the IDP should be an advertising company. Personally, I don't mind, but I know at lot of people who do.
I think an IDP that wasn't an advertising company would be a good thing. Banks isn't a bad answer. Credit Unions are of course much better.
As a developer, I totally agree with Tim that I could never implement and maintain a more secure identity system than the pros can. And frankly, I'm not interested in trying.
[link]
From: Troy McConaghy (Sep 26 2013, at 21:25)
The Respect Network has been working on these ideas for some time. I encourage you to Google them and (re)read what they've been doing.
[link]
From: Bryant Cutler (Sep 28 2013, at 15:36)
A lot of people are suggesting banks as trustworthy IDPs but the large banks don't have any visible ethics, the small banks and credit unions are unlikely to have the technical expertise, and all of them are susceptible to interference from NSA-alikes due to arbitrary enforcement of government regulations
There's a dilemma here where we're not willing to trust foreign governments or corporations because they afford us no rights, but if our own government can't be trusted, we can't trust ANY corporation in its jurisdiction. The best approach for technically competent individuals would be to run and thus control all their own infrastructure but that's expensive (borderline infeasible) and leaves the majority of the population out in the cold.
[link]
From: Laura Hamilton (Sep 29 2013, at 19:14)
Personally, I don't like and don't use the "sign in with Facebook" functionality. I like to have separate logins for separate services, to mitigate losses if something gets compromised. I wouldn't even trust a new company branded as an "Identity Provider," even if I had to pay for it.
I certainly don't trust Facebook -- that's for sure.
[link]
From: Simon Griffee (Oct 29 2013, at 00:35)
At this time, I trust Mozilla and the Electronic Frontier Foundation.
[link]