The buzz for 2013

15.01.2013 by Dave Kearns

Last time out, I ended by saying “Next time we’ll take a look at two ideas that, hopefully, will be the talk of 2013.” I lied. Depending on how you look at it, it’s either four ideas – or one idea. And there’s sure to be a buzzword/phrase/abbreviation/acronym or two coming about from it – or them.

I do know that there are four concepts, known fairly well within the identity community, that need to coalesce to create a grand scheme which can be turned into a buzz phrase and picked up by the general media so let’s take a look and see how they’ll fit together.

At the root of the grand idea is The API Economy. There’s much more about this in our Advisory note, “The Open API Economy,” but here’s a quick run-thru:

“The core thesis of this document is that the entire industry is moving towards exposing core competency to programmers, partners, customers and other constituents through APIs. The trend is so important to the current and future success of organizations that it is referred to in this document as an “economy”. The word “open” is often added in front of API and the API economy. Open does not mean “free” necessarily, but is intended to mean “accessible.” Accessibility is measured by both availability and how well it is documented for use.”

With the number of available APIs for services growing at an exponential rate, the second component of the grand idea can become more than just an abstract concept.

The personal data ecosystem (PDE) is an idea we’ve kicked around in one form or another for over a decade. As Ottawa Privacy Commissioner Anne Cavoukian has defined it:

“The Personal Data Ecosystem (PDE) is the emerging landscape of companies and organizations that believe individuals should control their personal data, and who make available a growing number of tools and technologies to enable this. Aside from legal requirements, the starting premise of the PDE is that individuals control the sharing of their own ‘official record,’ (also called a ‘golden record’) and set the rules as to who can access and use their personal information for what purposes. In this way the individual becomes the central point of data integration, and individuals always have the ability to extract their data and take it wherever they wish.”

But suppose you could take charge of not only distributing your “official record” (from the PDE) but also building and storing it? The API Economy makes that possible. I’ll show you how in a moment.

The third component of the grand idea is enhanced privacy. When you have control over storage and distribution of your personal information, such that other parties don’t need to store data, nor acquire more information then they need, that really enhances the privacy of your information. Let’s take a look at a fairly common example.

You’re thirsty, and head into the pub for a beer. As things work today you’ll most likely need to show some form of government identity document (which includes your birth date) to the server. But that document also includes your name, address, and perhaps other personal information. Many women have found themselves subject to unwanted stalking after showing a driver’s license to a bartender on the make.

But let’s say you could send a message to an identity provider (IdP) who could vouch for the fact that you are of age to order a drink – or simple vouch for the fact that you are “over 18” or “over 21” (no need for the IdP to know where you are). The IdP checks with the source of authority for your age (most likely a government agency) and is assured you are “over 21”. The IdP sends you a message and an encrypted URL which you transfer to the pub’s authorization system which verifies that the answer is “over 21” and that it comes from a legitimate authority. So the pub knows you’re of legal age, but nothing else, and the IdP knows only that you asked a question and they answered it. That’s enhanced privacy.

So how do we get there?

That brings us to the fourth concept of the grand idea – a trust framework. The IdP needs to trust that you are who you say you are; the government agency needs to trust that the IdP is legitimate (as does the pub). All of this will be possible through the use of a trust framework to which all of the parties are subscribed.

Put all these parts together – API economy, personal data store, enhanced privacy, trust framework – and you’ve got what we at KuppingerCole call a Life Management Platform.

For a very detailed look at what we mean see Martin Kuppinger’s advisory note: “Life Management Platforms: Control and Privacy for Personal Data,” but here’s what we’re talking about in a nutshell:

“Life Management Platforms will change the way individuals deal with sensitive information like their health data, insurance data, and many other types of information – information that today frequently is paper-based or, when it comes to personal opinions, only in the mind of the individuals. They will enable new approaches for privacy and security-aware sharing of that information, without the risk of losing control of that information. “

Martin particularly notes that “Obviously, Life Management Platforms are far more than Personal Data Stores. They not only support a secure store for sensitive personal information. They allow making a better use of that information.”

In fact, a Life Management Platform that combines an API economy, a personal data store, enhanced privacy, and one or more trust frameworks is how we will manage our information and our lives in the years to come.

There’ll be a lot more about this – both the Life Management Platform and all of its components – at the European Identity and Cloud Conference in May and I fully expect (“predict” isn’t the word I want to use here) that the main stream media will be talking about Life Management Platforms by the end of the year – but I can’t foretell what terms, or buzz words, they might use!

  • @Steve_Lockstep

    The anonymous proof of age use case seems overly complex. Isn't there an easier way?
    To recap, Dave suggested "you could send a message to an identity provider (IdP) who could vouch for the fact that you are … over 18 or over 21 (no need for the IdP to know where you are). The IdP checks with the source of authority for your age (most likely a government agency) and is assured you are over 21. The IdP sends you a message and an encrypted URL which you transfer to the pub’s authorization system which verifies that the answer is over 21 and that it comes from a legitimate authority".
    My first observation is, by the by, someone somewhere in the chain needs to know who you really are. The anonymisation layer provided by the IdP in the example is redundant. Why not have the authority-for-age make the assertion directly, but stripped of identifying information?
    Moreover, why is the assertion ferreted out in real time before being presented? Why can't the assertion be issued once in advance, in a portable persistent form factor?
    For instance, a simpler implementation would have the authority-for-age issue a digital certificate with the age assertion baked in; then the Subject merely needs to sign a challenge-response message from the pub with that certificate. It would be trivial for issuers of certificates containing baked-in assertions to all chain back to a common Root Key recognised by all RPs.
    Orthodox federation architectures exemplified by the Microsoft Identity Metasystem and OIX are over-engineered in my view for applications like proof-of-age, payments, e-health, e-govt, professional transactions and so on. Real time mediated assertion of identity or attributes between Subject and RP caters for parties who have never met before and have little or no context; that is, they are total strangers. But in the majority of important e-business transactions, S knows in advance what assertions RP is going to want to know, and S can arrange to have the right credentials issued by a recognised IdP in advance of going to the RP.

  • jimpasquale

    Drum roll please, when you put it all together Dave we get Personal Cloud(s)or pCloud, and everyone needs to start thinking that way, lots of the pieces already exist in broken down ways, but they are there. Lots of new pieces are coming together. The IoT (Internet of Things) will never be the same. It's about Personal Channels and Relationship Networks The Enterprise of One and Me (and all my stuff)

    It all starts with sovereign identity a whole new freedom front like the Net's never seen before.

© 2015 Dave Kearns, KuppingerCole