Internet Identity -> Reputation Networks and more

Effective, distributed, and automated third-party Identity systems will touch and change just about everything on the Internet. (Tip of the hat to Kim Cameron for the proposal and work behind that link.)

For the last few months I’ve been exploring how VRM and Complex Search might be augmented with an Internet Identity Meta-System (IIM). The first idea was simple: provide special product offers or search results based on identity. If you are a member of a particular affinity group, it would be useful to target promotions and advertisements automagically.

For those who don’t know how IIM works, think about it as third-party authentication where the second party need never see your secret information.

Instead of giving your Social Security Number (SSN) to a potential lender so they can check your credit rating, IIM uses a form of token-passing to let you authenticate directly with the credit bureau (who already knows your SSN), who then tells the lender your credit rating.

Make sense? Essentially, you and the vendor agree to use IIM and swap tokens. You go to the credit bureau with that token, and authenticate yourself directly. The vendor goes to the credit bureau with their token and gets your credit score. Result: vendor has the credit report and never required your SSN, name, or other “secret information” that might enable identity theft by an unscrupulous lender or middleman. [Note: this isn’t quite how it works, but it correct enough for the explanation.] In a fully realized IIM, all of these tokens are created and exchanged magically and nearly invisibly, just as SSL today makes it trivial for users to establish secure communication links between web browsers and servers without really paying attention to certificates.

The nice thing about a ubiquitous and inexpensive IIM is that it will make it possible for practically anyone to host an identity service. Any entity with a meaningful relationship with you could validate that relationship instantly. The result for Complex Search and VRM: relationships that support and improve your search and/or shopping experience.

If you are a million-miler at United Airlines, I’m sure there are hundreds of vendors who would like to offer you special promotions and discounts. Ditto for AAA and AARP membership, or even military affiliation. IIM integrated into VRM and/or Complex Search makes that possible, even simple.

The more I thought about it, the more possibilities emerged. In particular, distributed, secure Identity allows for a new kind of reputation network.

Equifax and other credit bureaus already offer digitally empowered reputation services. Lenders transmit a shared secret (the individual’s social security number or SSN) to Equifax. In return, Equifax gives the lender a real-world financial reputation report based on the identity associated with that SSN.

eBay, Digg, and Technoratti use similar reputational effects to help people buy things and find things.

It’s easy to see reputation being a factor in VRM as well, including countering the concerns some people have raised about “window shopping” the VRM system.

To refresh, VRM allows customers to specify their needs in a sort of digital RFP, send that RFP to a distributed marketplace, and vendors reply with bids to fulfill those needs. But what if the customer isn’t really going to buy anything? What if they are just window shopping? Isn’t that a violation of the intent of the system?

Actually, it can be both a feature and an opportunity. It’s a feature because people should be able to window shop. If I’m planning a vacation, I want to be able to evaluate my options before committing to a purchase (one reason I rarely use any of the priceline buying models). Perhaps I won’t be offered binding contracts when “window shopping”, but I should be able to browse, to see what discounts might be offered for my various affiliations or because of the timing of the purchase, even when I’m not yet ready to buy.

On the other hand, if people claim they are in the market to buy and don’t, that is an abuse of the system. The answer: a reputation network.

A reputation could be integrated with the marketplace, as it is at eBay. Or there could be distributed reputation management, like lenders have with credit bureaus: Markets would inform the Reputation firms about ratings and disputes and Reputation firms would aggregate reputation over multiple markets. In fact, there is no inherent reason that people couldn’t use their reputation at eBay to endorse VRM transactions at other markets, as long as we have an interoperable IIM in place. eBay then makes money by selling access to that reputation, just as the AARP might make money validating the identity of its membership, as it does today.

In short, IIM is an approach to identity that scales with the Internet, without centralized bottlenecks, with all the value and security one requires when checking identity. On top of the underlying autonomy and anonymity of the Internet, there will emerge a parallel fabric of self-organizing accountability and identity. The value and potential uses of such a fabric are just beginning to be defined and understood.

Consider how such a system might allow a reinvention of blacklist/whitelist approaches to SPAM. Or how it might protect children from sexual predators. Or even provide seemless, anonymous access to semi-restricted public services like disaster relief programs.
There’s still a lot of work to do. Once we get the infrastructure fully defined, toolmakers will need to integrate it into clients and developers will need to build services that utilize it. But once the pieces start clicking into place, it should be interesting to say the least.

If you can make it to the Internet Identity Workshop this next week, please say hi. I’m looking forward to meeting folks engaged in this space. I’m also looking forward to learning more about the current state of development, especially how current approaches inter-operate.

2 responses to “Internet Identity -> Reputation Networks and more”

  1. James

    Does Federated Identity sometimes require Federated Authorization? If so, how come this isn’t ever discussed. Maybe you could address in future blog entry…

Leave a Reply

You must be logged in to post a comment.