While other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology they got the economics wrong…

To which I can only respond: “you wish. We don’t have any security economics! Not even the wrong ones.”

In the past, every time I brought up this issue in the OpenID community, I got nowhere. (The Information card community has slightly better ones due to the possibility of branding, but it has bigger problems to worry about right now.) But perhaps it is time to try again …

Yep, we have seen all the pieces that make up the iPad: unibody, touch screen, WiFi, 3G, flash, big button in front, dock, … So technologically, it’s indeed a “yawn”. But this ignores the market innovation that it enables, which is the opposite of a yawn.

Just two examples:

• in healthcare, I can totally imagine hospitals putting up a stand+keyboard for the iPad in every treatment room, and the doctors and nurses carrying iPads. When they enter the room, they put the iPad on the stand, initially switched off, and figure out what’s wrong with you. Then, they can immediately enter what they need to into their medical records system.
  This is the first device for which this has ever been true! It can be carried, it wirelessly connects, it has the battery life, and it is big enough you can actually see something. The iPhone was the closest before, but the iPad nails it. That’s not just a billion-dollar market for Apple, but there is a very good chance we’ll all end up healthier!
• in education, it’s the device that could make printed textbooks obsolete. At $499 plus volume discount, that might even save the school districts money! And imagine what a textbook could turn into if you carried it around like an iPad with WiFi and high-end graphics available.

It’s very impressive that Apple manages to innovate technologically and market-wise in the same company. Any other company that knows how to do that?

Here are quotes from her speech today:

Franklin Roosevelt … delivered his Four Freedoms speech in 1941 …. principles adopted as a cornerstone of the Universal Declaration of Human Rights…

The final freedom, one that was probably inherent in what both President and Mrs. Roosevelt thought about and wrote about all those years ago, is one that flows from the four I’ve already mentioned: the freedom to connect – the idea that governments should not prevent people from connecting to the internet, to websites, or to each other. The freedom to connect is like the freedom of assembly, only in cyberspace. It allows individuals to get online, come together, and hopefully cooperate.

This is exactly how I would have put it. It’s assembly, just on a different type of town square, and just as important as the other fundamental human rights.

It’s smart she puts it as “flows from” what more countries signed already than they are now comfortable with.

She continued:

The United States is committed to devoting the diplomatic, economic, and technological resources necessary to advance these freedoms…

We’re including internet freedom as a component in the first resolution we introduced after returning to the United Nations Human Rights Council…

We are providing funds to groups around the world to make sure that [new tools that enable citizens to exercise their rights of free expression by circumventing politically motivated censorship] get to the people who need them in local languages, and with the training they need to access the internet safely…

Now, ultimately, this issue … [is] … about whether we live on a planet with one internet, one global community, and a common body of knowledge that benefits and unites us all, or a fragmented planet in which access to information and opportunity is dependent on where you live and the whims of censors.

… Historically, asymmetrical access to information is one of the leading causes of interstate conflict. When we face serious disputes or dangerous incidents, it’s critical that people on both sides of the problem have access to the same set of facts and opinions.

For companies, this issue is about more than claiming the moral high ground. It really comes down to the trust between firms and their customers. Consumers everywhere want to have confidence that the internet companies they rely on will provide comprehensive search results and act as responsible stewards of their own personal information. Firms that earn that confidence of those countries and basically provide that kind of service will prosper in the global marketplace. I really believe that those who lose that confidence of their customers will eventually lose customers…

This is exactly how I put it over at Upon 2020 when discussing Google’s China move a few days ago. 10 years ago, it wouldn’t have mattered. 10 years in the future it will be decisive in the marketplace. These are the early rumblings. Mark my words.

And censorship should not be in any way accepted by any company from anywhere. And in America, American companies need to make a principled stand. This needs to be part of our national brand. I’m confident that consumers worldwide will reward companies that follow those principles…

We cannot stand by while people are separated from the human family by walls of censorship. And we cannot be silent about these issues simply because we cannot hear the cries.

There is of course always the issue of how sausage is made, in international politics even more so than domestically. But it’s a good start, certainly better than I would have dreamed.

P.S. Spot the worst offender in this list from her today: “Violent extremists, criminal cartels, sexual predators, and authoritarian governments…”

Dare Obasanjo disagrees: he thinks we only need an OpenID Connect if there were multiple incompatible implementations of Facebook Connect-like products from multiple players, to standardize best practice.

Who is right?

Both, I think. They represent two different points of view that I both sympathize with. I like the first better but the second one might be more realistic. I only realized this a few months ago, this is as good a time as any to attempt to explain this:

First I have to make a detour: OpenID (and related “Open Stack” technologies) are fundamentally interoperability standards. If I have a website and you have a website, OpenID enables our mutual customers to do something interesting by “connecting” some pieces of my website to your website. Take authentication performed on my website to your website, for example. Move data, etc. It’s important to realize OpenID doesn’t do anything that can’t be done already by a site by itself, or within a tightly coupled federation of sites. Instead, OpenID is about interoperability between sites managed by different entities that only agree on the OpenID interoperability specification.

How do successful interoperability standards come into being, and how do they continue to evolve?

I’m not a technology historian, but it appears to me that they usually emerge after several companies have implemented similar, proprietary ways of interoperating, and the potential adopters of such proprietary specifications revolted saying something to the effect of “we can’t afford implementing half a dozen different ways of interoperating with you guys, we need to have one way for the whole industry.”

I think that is essentially Dare’s point. He’s asking where everybody else’s (MySpace, Google, etc.) products are that are like Facebook Connect, and finds very little. His conclusion: this is not the right time for an OpenID Connect.

Chris’ point comes from a different perspective, which is: let’s make the web a better place, and collaboratively design a set of new capabilities that help us all. I understand that perspective very well, because I, like many others, was preaching that perspective ever since I got into that digital identity business in the first place. The trouble is: it’s like molasses, and nothing much ever happens. So far, that has been true about an OpenID Connect, too, for which people like Chris and myself have been asking for for at least a year or more.

I wonder what the newly expanded board of the OpenID Foundation thinks of it. There are enough new faces, in particular from non-technology-platform companies on it that the dynamics may be different. Looking forward to seeing what comes to pass or does not.

Anybody know how they might be secured?

I found myself pondering this a lot recently. It seems we are in for very revolutionary changes … like the becoming irrelevance of the PC. Or the move to NoSQL. Or all web apps being connected to each other, with RSS/Atom and OpenID being the first steps. Vendors, products, architectures, market dynamics will all be a lot different than we are used to.

Clearly worth pondering, or writing about it. Which not many people do. So I just started a new blog at:

upon2020.com

My focus will be the next decade, through 2020, thus the name, which of course is also a word play.

I am taking the risk that I might be terribly wrong with anything I might predict. It might be terribly embarrassing. But then, I hope to have a thought now and then that might spark some discussion, which is really all one can hope with on a blog.

So, enjoy! And disagree, otherwise, how should we all learn?

This blog will continue as before.

Out of the hundreds of slides, I’m quoting two which speak for themselves. Notice that ARPU is going down at the same time many markets are saturating and new competitors show up. Be afraid, carriers, be very afraid.

This week the OpenID Foundation announced that now, exactly 5 years later, more than one billion identity URLs (now called OpenIDs) are operational on the internet. Not bad, I’d say. From 1 to a billion makes a compound annual growth rate of something like 6300%, over five years.

Time to compare the original vision with what it turned out to be. Well, some salient aspects of it anyway:

I did not run for the OpenID Foundation’s Board of Directors this year. I think I’m done there: I’m more of an inventor and innovator and entrepreneur than somebody excited about the daily grind of non-profit work of getting those billion OpenIDs used more every day, one day at a time.

Looking backwards, I think I need to be supremely amazed that this “silly” idea has had such amazingly powerful legs to walk that far. To be clear, if I hadn’t thought of it (and my wife Tammy hadn’t prototyped it), somebody else would have within a couple of years, most likely. And many, many people brought their ideas into the picture without which we would not have come to where we are. Thank you all, this is a story of collective barnraising. Success always has many fathers parents, and I mean that sincerely; in this case probably about a dozen. But still, it’s amazing to look back and trace a straight line over 5 years to the idea of the barn in the first place, and its basic architecture. Here it is, the barn, 5 years later, a billion strong. Not many times that anybody can claim to have had a hand in sparking something that became billions.

The jury is still out whether any meaningful money can be made around this. But I’m getting more optimistic: a billion is hard to ignore, in particular if all major players are on board, which they are. So going into 2010, I’m feeling like it’s time to do some serious business, and I think I know just where to start (contact me if you like)

So far, so good

Happy Holidays to you all!!

Here is an example scenario from the real world:

Like many schools these days, my son’s school has a website where teachers enter current assignments and grades, and students and parents like me can check on student progress. Of course, access to any one student’s information must be limited to those people who are allowed to see it, such as his teachers, the student himself and his parents. To solve this problem, at the beginning of the school year the school provisions an account for each new student, and an account for his parents, and assigns a username and a password to each of them. Then, the school prints out a sheet with the account names and passwords and hands it to the student, who is supposed to not show it to anybody and give it to his parents.

Yeah, right. If your kid is anywhere like mine, both of these “supposed to” are major hypotheses with wholly uncertain outcome.

Even if the sheet eventually reaches me, I now need to remember a new username that I don’t relate to (some funny number, the school can’t know what I usually call myself on-line) and yet another password.

Unfortunately, this anti-pattern of provisioning an account with a credential and then distributing account identifier and credential to the supposed user is very widespread. Just think of banks: “Here is your new account number and you’ll receive the PIN in the mail”. While the postal service is undoubtedly more reliable in delivering the credential to me than a middle schooler is, having the (necessarily unencrypted) credential traverse via an essentially unsecured (and unreliable) channel is the same, avoidable problem.

The solution? It’s an underappreciated feature of OpenID that allows us to turn this situation around:

Let’s say I have an OpenID; most people do these days, whether they know it or not. When my kid registers for school, I not only hand over information about my name and address and emergency contact information as I do anyway, but also my OpenID. There is nothing secret about that OpenID, so there is no problem. The school provisions the account, adding my OpenID to the Access Control List. That’s all. No new username, no new password.

Using OpenID, I now can securely access the account, nobody else can, my kid does not need to deliver any confidential information, and I don’t need to remeber any more usernames and passwords. And the school does not need to print sheets, reset passwords and help all those parents who, mysteriously, never received the sheet with the usernames and passwords because it was thrown out with the lunch wrapping paper or grabbed by some other kid when mine wasn’t looking.

Same thing for the bank. Which is more secure: letting me access my banking account with my, say, Yahoo OpenID, or sending me my password in the mail? Thought so …

Time to get rid of the credentialed account provisioning anti-pattern.

Today, two pieces of news came in right after each other:

• The US Federal Government’s Beacon Community Program has been given $235 million of taxpayer money for “… interoperable health IT and standards-based information exchange within and among providers, hospitals, and populations” “within 15 diverse communities throughout the United States” (see announcement).
• Also, Yahoo announced that they will “deeply integrate” their properties with Facebook’s in order to “provide one place for people to access information and stay in touch with the people they care about most” for their user base of “500 million” (see announcement). No money will change hands as far as I can tell.

Here are the questions:

• How come it needs $235 million of taxpayer money for a mere 17 communities to make some (limited) amount of progress on exchanging data, if Yahoo and Facebook can roll out these kinds of integrations for more people than there live in the US on their own dime?
• How come the $2 trillion+ healthcare industry does not do these kinds of strategic projects on their own? Nobody could reasonably argue the business case in healthcare (save percentage of the $2 trillion) is smaller than Yahoo’s and Facebook’s (a percentage of their revenue, which is in the $10 billion ballpark).

The detractors will say: these things are not comparable, and the announcements have nothing to do with each other. And go back and lobby for more government handouts right after, I presume.

Having worked both in a web 2.0 kind of information interchange environment (e.g. OpenID and friends, in recent years) and a healthcare and “deep semantics” environment (e.g. via our InfoGrid project, for a long time), I beg to differ. Most of the technical hurdles are the same, most of the organizational hurdles are, and while healthcare cares more about security, the web 2.0 world cares more about real-time data exchange, for example. On balance, a wash.

So here’s the challenge to the government that is spearheading health IT, for better or worse (and I am planning to submit this as a comment to Dr. Blumenthal’s blog as soon as I have it up here):

I assume we all agree that an environment in which leading-edge companies innovate on their own to the benefit of their customers is better than one in which the government has to spend large amounts of money to drag along kicking and screaming “participants” — as it is so common in health IT. How do we turn US healthcare IT from the latter to the former?

Or, to put it differently: what is the administration doing so the next Mark Zuckerberg starts a “Healthbook” instead of a “Facebook” and revolutionizes, with the corresponding benefits for everybody, healthcare IT instead of social networking? If the $235 million were spent on that question, now that’d be something!