Some time ago I blogged about the “rise and fall of social networks“. My main point was that today’s social networks lock-in the information of their customers – but if I participate in Xing, LinkedIn, Facebook or other platforms, I enter my data there. With some networks, it’s virtually impossible to export my own network. And if I want to use more than one of these networks, there is no way to just move my existing network to the new platform. The interfaces (in most cases) as well as the standards (in any case) are missing.

Yesterday, the discussion gained further momentum because Facebook has changed its policies. Facebook now claims an unlimited right to use the information which someone has entered – even when the user cancels his Facebook account. Interestingly, the general terms and conditions aren’t (or at least haven’t been) fully translated into German. Some German lawyers claim that they are thus invalid, because German law requires them to be in German.

Overall, the recent discussion an the overall situation is pretty interesting from two perspectives:

• Legal: Which of the general terms and conditions of providers are valid? Given that Facebook doesn’t act in Germany (and most other countries), but from the US, the contract is between an US company and a German (or other) user, that is a very interesting question. It is, by the way, a general issue in the Internet. Most companies will face the same problem once they start using the cloud (and some have experienced these issues in outsourcing). Another question is about copyright and intellectual property rights – are rules like the ones of Facebook or Xing really valid? I have to grant them unlimited rights without any restrictions. I can’t cancel the contract. Once I have agreed, I’ve lost my rights. Besides this, it is as well an interesting question whether the change of general term and conditions affects information which has been in the network before that change and whether or not someone has to agree explicitly to that change. I’m no lawyer but I think that these are interesting questions.
• Data ownership: Again, it is my network. I really don’t like to have this lock-in.

In another area, the customer relationships, we have a somewhat comparable situation. Vendors have a lot of information about me – and I don’t really know what they know about me. In German law, I can request that they provide me with the information they have stored about me (which might provide reasonable workload if many customers ask for that information). But there are other approaches. The concept of VRM (Vendor Relationship Management) which has been intensively discussed at last year’s European Identity Conference tries to change the play. The customer manages his vendor relations and controls which information he provides to whom. Like I have stated in my older post on social networks, these concepts might be applied to new type of social networks. I’m not quite sure about the business model. But as long as I have to act with vendors which have business models that – like they claim – only work if I give away any control and rights about my information I think it is really worth to consider a switch in that area.

I think that companies like Facebook and Xing with their general terms and conditions are digging their own grave. That won’t happen very fast, but once the users have an option which provides them more rights and more privacy, that might happen.

Yes, I know – Information Cards (or Infocards) and their incarnation in Microsoft Windows CardSpace have been around for a while. But it was mainly the inner circle of Identity Management (and especially of user-centric Identity Management) who was really aware of this. With the recent announcement of the Information Card Foundation (ICF), Microsoft and others are trying to improve the visibility of Information Cards as a core element of Identity Management in the so called cloud.

There has been some discussion around the announcement in blogs and forums in the Internet. One of the most interesting aspects discussed is the necessity to educate the broader public about the concepts and value of Information Cards and the entire “Identity Management for the cloud” (aka user-centric Identity Management, aka Identity 2.0). That must be a main target of ICF, but as well of all the other players in this emerging market.

First of all, I’m convinced that Information Cards as well as OpenID will become central standards in the Internet and for Identity Management. Given that at least OpenID isn’t that far away from reaching the critical mass and that Microsoft Vista adoption (which makes it easier to use CardSpace) is happening pretty fast, as well as some important Open Source initiatives working on these topics, that might happen earlier than most expect today.

Nevertheless it is important to explain the concepts for everyone – and to address the privacy and security concerns many will have. There are so many things which can be done using these technologies, from Single Sign-On and Profile Management in the web up to Corporate Business Cards. But they require an accepted concept.

Thus, the idea of ICF is great, when it goes beyond technical discussions around use cases and implementations issues and really focuses on education as well. On the other hand the member list of ICF proves that there is strong interest and support in the industry for Information Cards. You can bet that no one is in there who doesn’t expect that the use of Information Cards won’t support his business – otherwise they wouldn’t invest time and money into ICF.

ICF is a great thing from my perspective. It will drive Information Cards forward – and thus the Identity Management for the cloud.

I have a personal history in the areas of personalization and profiling. And there might be some good chance for these ideas to become reality now – in the context of Infocards and to the sake of VRM (Vendor Relationship Management).

The threat in personalization and profiling is to know what the person really wants (personalization) or is/has (profiling). The one who knows best is the person itself.

(Managed) infocards can transport virtually everything. They might provide profile information for personalization. A trusted identity provider might offer a service which stores profile information it retrieves from the users and provides it in a controlled way (the basic idea of user-centrism) to web sites which shall provide a personalized experience to the user.

Bring in things like U-prove and that site doesn’t need to know the exact data but can “ask” the Identity Provider about relevant aspects and retrieve a yes/no decision. For sure the service provider/relying party in that equation will know some things but the amount of this knowledge can be limited – and thus privacy can be maximized.

I’m convinced that there is a business model for Identity Providers. Users might pay for a trustworthy handling of privacy information. Relying parties might pay for the ability to personalize information. There might also be approaches where the service is for free but the privacy is limited – the relying party might pay more if she learns more about the user. Both approaches might work.

VRM fits perfectly into this. It is the use of these approaches for vendor relationships, providing information for buying decisions via Infocards. For me, VRM, infocards and technologies like U-Prove are the pieces of a puzzle which, when ready, shows personalization and profiling as the picture.

Yes, I know – it is a little redundant talking about “corporate” and “business” in the context of virtual cards. But it is one of the most obvious, interesting and feasible business cases around Identity 2.0.

What do I mean by that term? My idea is about applying the ideas of Identity 2.0 and especially of InfoCard to the business. Provide every employee with an InfoCard or even some of them and you are better suited to solve many of today’s open issues.

How to issue these cards

I have this in mind for a pretty long time. I remember that I had asked Don Schmidt from Microsoft about the interface between Active Directory and CardSpace some time before EIC 2007. Active Directory might be one source of these cards. Just provide an interface between AD and an Identity Provider for InfoCards and you are able to issue and manage these cards based on information which still exits in the Active Directory. For sure, any other corporate directory or meta directory might work as well.

Today these technical interfaces are still missing, at least in an easy-to-use implementations. But it won’t take that long until we will see them. Thus, it is time to start thinking about the use cases.

How to use these cards

There are at least three types of cards I have in mind:

• Virtual business cards: They are used when someone represents his company. How do you ensure today that every employee provides current and correct information when he registers with other web sites? How do you ensure that he acts in the web like you expect him to do? How do you ensure that he enters the correct title or the correct information about the size of your business when registering? InfoCards are the counterpart to your paper-based business cards today, but they can contain more information. And there might be different ones for different purposes.
• Virtual corporate cards: They are used for B2B transactions and interactions. Add information like business roles to the cards and you can provide all these claims or assertions which are required for B2B business. These cards can be an important element in Federation, providing current information on the role of an employee or other data required. For sure there can be as well several cards, depending on the details which are required for interaction with different types of business partners.
• Virtual employee cards: They are used internally, for example to identify users in business processes. Again, there might be a lot of information on them, like current business roles. You might use them as well to improve internal order processes, identifying the users who request new PCs, paper, or what ever else.

With these three types I might even have to extend the name for the cards, I assume. But I will stick with the term I have in the title of this post. The interesting aspect is the flexibility which (managed) InfoCards provide and the ability to manage them in context with a leading directory you have.

Due to the fact that you are the Identity Provider when applying these concepts you can ensure that no one uses these cards after leaving the company. You can ensure as well that the data is always up-to-date. That’s by far easier than with some of today’s equivalents for these future type of cards.

I will blog these days about two other ideas I have in mind in this context: The way the concept of claims Microsoft’s Kim Cameron is evangelizing will affect end-to-end security in business processes and SOA applications in general and the idea of using InfoCards for all these personalization and profiling ideas which have been discussed many years ago. I’m convinced that Identity 2.0 concepts like InfoCards and claims are a key element to solve these threats and bring these things to live.

There is a lot of business value in these concepts. And they will affect the way businesses cooperate, because they are much easier to implement and use than many other approaches.

With the recent announcements of Yahoo to fully and Google to partially support OpenID and the now official engagement of IBM, Microsoft, Verisign, and other key players of the market in the OpenID Foundation it seems obvious that OpenID is now THE standard for user centric identity management.

I agree – partially. OpenID is A standard for user centric identity management which definitely will, with some advancements, will influence the way people act in the internet. But I’m, for example, convinced that it won’t replace Microsoft’s Infocards (as the technical basis). These two things are two different as well from the use cases as from their capabilities. There might be an OpenID 3.0 or something which in fact is sort of a combination of both. But there will be many things from the outside which influence today’s OpenID.

That’s, by the way, no surprise. Virtually any new standard started small and with limited capabilities and grew over time to a more complete, more sophisticated solution. While the original creator’s of OpenID will focus on ease of use, the new supporters will focus more on “sophistication”.

And the end there will be some OpenID which is much more secure and supports many more use cases than today’s standard – but which is as well a little more complex. But I’m convinced that it will be a major pillar for user-centric identity management over the next years. Together with CardSpace and it’s incarnations. By the way: We support Infocards at our website right now and OpenID and CardSpace will, for sure, be major topics at the European Identity Conference 2008, with speakers like Kim Cameron.

Some days ago I received a press release which stated that in UK the cost of social networks is around 6,5 GBP – at least a recent study claims it to be that high. Such numbers are always questionable, for sure. Which are the real costs of someone maintaining his own social network? Difficult to calculate… But: Even 1 billion would be too much.

There is some value in social networks, especially in business networks. But it is obvious that it takes a lot of time to maintain contacts, find people you know and especially to do this multiple times for different networks. I personally have chosen to limit myself to three networks: Xing, LinkedIn, and StayFriends. And I really hate it to do the same work in Xing and LinkedIn.  I could easily split half my own “costs” for maintaining social networks if I easily could exchange information between these networks. User-centric IAM approaches applied to social networks thus might cut the costs significantly. One more reason to doubt the future of today’s social networks.

Even while it isn’t real news, being known for some time, it is an important announcement: Yahoo will support OpenID. All 289 million users may use OpenID beginning end of this month as an ID to access other OpenID websites as well – like this blog. This is definitely a breakthrough for OpenID as approach for an universal identifier in the internet. Even while it will take some time for adoption through the Yahoo user’s and for support of OpenID on other websites this announcement is a major step towards the critical mass which is required for broad adoption of any new standard and technology.

And, an interesting coincidence, I heard these days some interesting rumors that there will be some major announcements about Microsoft CardSpace/Infocard implementations soon. No more details right now – but it proves the increasing interest in the technologies of user-centric identity management.

I might still take some time from these announcements to achieve the critical mass for a broad adoption of these both technologies. But it is obvious to me that user-centric identity management is close to the predicted success. Thus everyone should think about the implications for himself personally as well as for his business. User-centric identity management is a business technology, with implications going far beyond of what most people expect today to happen (how about your corporate internet business card?).

By the way: Between writing and posting this blog entry Google announced OpenID support as well. Even while limited to their Blog tool it seems like OpenID support is starting to become a differentiator between competitors. That’s definitely a good sign for the future of user-centric Identity Management.

I still remember some tough discussions I had with eBay in 2004 when we had just started KCP around there missing investments in secure, strong authentication. Interestingly eBay and PayPal are amongst the first now to use VeriSign Identity Protection, abbreviated as VIP. And they start in the German market to roll out this technology.

Basically VIP is sort of a combination of strong authentication with a user-centric identity which can be used with different vendors and other companies in the market. The user requires a token which provides an OTP (one time password) which is used for authentication. Nothing new, so far. But: The VIP network is designed to support multiple partners and it uses only one token. Thus it addresses two of the biggest obstacles of OTPs as a means for strong authentication:

1. The cost of deploying tokens is shared and thus lower.
2. The user has one token instead of a collection of tokens from different providers.

I really like this approach because it’s a pragmatic one. And I will, for sure, test my VIP card today with my eBay account. Best of all, the token is in credit card form factor and thus very comfortable to take with me, in contrast to some other token I own.

Combine this approach with OpenID and CardSpace and you end up with a solution which isn’t perfect but far more secure and usable than most of the other approaches in the market. Interestingly I had discussing about that approach with VeriSign some 18 months ago the first time. Seems, that today the market is ripe for it.