I was interviewed by Gareth Mitchell last week about OpenID for the BBC’s Digital Planet podcast.
Our conversation lasted about 10 minutes — of which only about two minutes survived (mirrored here as they currently do not keep an archive of previous episodes).
It was a familiar conversation for me, since the primary concerns Gareth expressed had to do with privacy, identity and the notion that “someone else” could “own” another’s identity on the web. His premise sounded familiar: “Won’t OpenID make my identity more hackable?”
The answer, of course, isn’t that straight-forward, and depends on a lot of mitigating factors. However, the fundamental take-away is that OpenID really is no more insecure than email, and even then, provides a future-facing design that that leads to many kinds of protection that email, in practice, does not.
. . .
I’ve also noticed over the past several years that Europeans harbor much greater sensitivities to privacy issues while Americans tend to concentrate on matters concerning “property” (physical, personal and intellectual). This is evidenced by yesterday’s blow up around Facebook’s changes to their Terms of Service. On the one hand, there’s this weird American outcry against Facebook owning your data (in common, at least) forever. From the European side, it seems like the concern is centered more around what the changes mean to one’s privacy, rather than whether Facebook can perpetually “make money” off your stuff.
I bring this up because it’s immensely relevant with regards to the conversation I had with Gareth (given that he’s based in the UK).
With the current case, I’m sympathetic to Facebook, because I know that this will be the year that people have their “mindframes” bent around new conceptions of personal privacy and control and ownership of data. I believe (as Facebook purports to) that people’s desire to share will overcome their desire for control over their personal data, and that they will gradually realize that sharing will require letting go. It is this reality — the reality of networked data in the cloud — that necessitated Facebook’s change to their terms of service — not some nefarious desire to steal your first born (or your data).
In other words, the conditions and kind of thinking that lead to the backlash against Plaxo known as Scoblegate will cease to exist in the future. Facebook’s change is merely a recognition of this new environment.
It remains unclear to me whether the pundits in this space realize that this shift will occur, and will occur naturally (as it has already begun — consider the integration of Facebook and Flickr in iPhoto ’09), or whether they just want to scream and holler when they notice something that seems astray.
. . .
Last December, I spent time talking to Boaz Sender of HTML Times at length about several of these topics (including discussing the intellectual property issues surrounding many of the technologies that are helping to ensure that the web remain an open playing field) in an interview about Identity in the Network. In juxtaposition to my interview with the BBC, I think this interview gets into some of the deeper issues at work here that must also be considered when it comes to the future of online identity, privacy and data control and (co)-ownership.
Factory Joe 
The cultural differences between Europeans and Americans you are referring to are real, and pose interesting challenges for any global service. It’s curious that the european legislation i have seen uses, to define the privacy rules, words which refer to the “property” or “ownership” of the data (which is considered of the user and not of the service that collects it) 🙂
Also I’m seeing (at least here in Italy) a lot of negative comments related to the fact that now a user doesn’t have any insurance that his/her content will be deleted from the site if he decides to close his account.
just wondering what is the latest news for the DISO project ? no news on twitter or on the site since last year.
thanx.
@sash: Great question. Indeed, it appears that DiSo may not be that active, but with the Activity Streams work and Will’s continued work on the OpenID and OAuth plugins for WordPress, there is quite a bit of activity going on, but we’ve been so busy, we’ve just not communicated well about it!
I’ll make an effort to keep the Twitter site more up to date; the mailing list is really where the conversation is, though:
http://groups.google.com/group/diso-project
ok, thanks for the info.
i’m especially interested in BuddyPress integration. I’ve just made a blog post about it my understanding of this movement http://cli.gs/Yqh6Gv
feel free to leave a comment there 🙂
Hi, discovered your blog from the link on the BBC news site.
The worry around what if your OpenID account gets hacked? Seems to be the big concern that people have. Of course as you point out it’s no more insecure than e-mail accounts, but it still seems to be the main thing I hear people commenting on.
The solution? Well I’ve recently discovered and been using the rather nifty Yubikey (http://www.yubico.com/home/index/), I’ve had a quick play around and managed to get it working with my own hosted OpenID provider. I’m hoping it will catch on and more people will start using it.
I’m now off to configure the Yubikey PAM module so I can use it to SSH into my server at home!
Hi – please let me know which OpenID provider you use your YubiKey with?
John.
John, I’m using phpMyID (http://www.siege.org/projects/phpMyID/) which I’ve hacked in the Yubikey authentication stuff from this PHP class http://code.google.com/p/yubikey-php-webservice-class/
It’s not working properly yet (working if I log in directly first but not if another website calls it), but I’m no PHP coder so it’s hard going.
ClavID http://clavid.com/ do offer OpenID with full Yubikey support though.