Tuesday, February 13, 2007

OpenID: Not all Chocolates and Roses

There has been quite a bit of hype regarding OpenID within that last few weeks. One of the biggest announcements is that Microsoft will work to support OpenID with its Cardspace card selection metaphor. While there are not many details about how this will work, this is still very good news for the OpenID community. There are other major identity players also working to support OpenID for their customers.

I would, however, like to bring some practicality to all this hype. OpenID as an identity system is perfect for the blogosphere and any publicly published content. It provides single-sign-on and auto-correlation across all comments, blog posts, picture galleries, etc that I publish. However, it's the auto-correlation part that causes problems when I'm NOT wanting to operate on the web in a public manner.

There are many tasks I do online that I do not want to ever by public (e.g. my banking site, purchasing history from Amazon, etc). While OpenID provides the single-sign-on benefit I desire even for these kinds of tasks, it also inherently allows for the correlation of my activities by those sites without my consent. This is definitely NOT user-centric.

The problem this creates is that most users will not understand the impact of using a correlatable identifier at all the sites they interact with and will leak privacy information in the process. I do want to note that the OpenID 2.0 draft spec addresses this issue by allowing an interaction method where the user can allow the OpenID Provider (OP) to pick a unique identifier for them. The user will then be known by that identifier at that site. However, my concern is that while this method is supported, it's not getting much traction in the industry.

As OpenID becomes more main stream it will be important for OpenID Providers to address not just the social-web tasks of users, but also the personal tasks of users and provide appropriate privacy protection.

Tags: OpenID, Correlation, Privacy


David Recordon said...

Even with 1.1 you can use different URLs in different cases. 2.0 just makes it easier to type something like "myopenid.com" to begin the flow and pick an identifier.

In any-case, how is this different from email addresses or usernames today? People use the same email address or username in multiple places since they understand they are correlated. If they want a different identity, they create a different username or signup for a different free email address.

Maybe I'm missing something though?

George Fletcher said...

Actually, I don't believe the general user understands the issue of correlation. They just don't want to remember 100, or 300+ identifiers and so resort to always using the same one if they can.

A good identity system should protect the user's privacy by default and allow for public correlation (when desired by the user). In that sense OpenID's are fantastic publishing identifiers.