Brad Ideas - openid - Comments

Legislation doesn't cut it

brad — Tue, 06 May 2008 11:40:11 -0700

Legislation is not impotent, but it’s very far from omnipotent. Information flows around the rules, if you let it out. Regularly we see stories how how you can buy all sorts of records from corrupt government employees. I doubt we can stop corruption.

In addition, we can’t solve the problem of future surveillance technologies that most people have not dreamed of. Today there is not adequate AI to understand all this data we’ve let out, but there will be, and laws won’t stop it.

Yes and No

Radovan Semancik — Tue, 06 May 2008 10:27:11 -0700

Although I can agree that the way OpenID folk is heading is wrong, I cannot agree with everything. I do not agree that making the information sharing easier will inevitably lead to the massive disclose of personal data. I think that proper legislation and a good reputation mechanism can lead to a suitable equilibrium between privacy and disclose.
I strongly recommend you the books by Daniel Solove, especially "The Digital Person". You can find many answers there.

"BEPSI"

Rohan Jayasekera — Fri, 25 Apr 2008 15:59:33 -0700

People should have a choice of names.

One could be based on your QID proposal: QID Option to Keep Exporting.

People would then be able to choose between BEPSI and QOKE.

Nice turn of phrase

Josh McHugh — Wed, 19 Mar 2008 17:46:03 -0700

Top-notch rhetoric-Fu:

While some portable data advocates think of the portability systems as “vaseline” that will grease the skids of smooth interoperation, the truth is it may assist another function of vaseline.

F, as they say, TW!

Still has user choice

brad — Fri, 14 Mar 2008 18:48:17 -0700

Your document still talks about user choice and configuration of what information is given out.

This reflects the common mistake here. You think of technologies like this as ways to control how your information is given out. They also need to be thought of as technologies that facilitate the giving out of information.

Unfortunately, you just can't facilitate the giving out of information without causing information to be given out more often.

The only way I can see to make it work is if you don't give out information. Instead you receive tasks to be done with your information, and do them for the outside application.

However, the problem is you can only do tasks that have been defined. Alternately, you can import generic code to do tasks, but you need a way to trust that code, since it could of course just suck in all your information and export it.

A proposed solution to identity issues/paradox

Trey Tomeny — Fri, 14 Mar 2008 05:52:35 -0700

I emailed you with an earlier version of this idea about a year ago. Check out http://thetrustednet.org to see if this iteration overcomes your previous objections. It involves organizations that are set up with the sole purpose of being identity service providers, dubbed here "Privacy Providers".

Trip-codes

Julian Morrison — Sat, 30 Jun 2007 05:47:40 -0700

If you need authenticity without identification ("only the real Mr Anonymous could have written this comment") there is a solution called "trip-codes", used in parts of the web. Basically, the user enters an arbitrary password which is hashed and the hash value is displayed alongside the user name. It's hard to fake, because you'd have to guess the password. However it makes no intrusive assertions about real identity.

But my son doesn't understand

Liz Strauss — Sat, 30 Jun 2007 00:49:38 -0700

You and I understand the value of privacy, but my son is just out of college . . . he's immortal still. He's been on a computer since he was three, and he's never been in danger in any world. The young men and women he went to university with and the young men and women who visit my blog are flattered when programs offer to track their slightest preferences.

The folks at CVS don't understand what they are giving away when they get that 10% discount, so why should my son with no experience understand?

It's not only that easy to go along with giving away the information. It's also that often an ego boost comes with the giving -- look there's my picture on the MyBlogLog widget, isn't that cool? Watch them track me all over the Internet.

It seems that many folks just can't see below the surface. Some days I feel that it could be too late for most of us already.

Sure

brad — Fri, 29 Jun 2007 21:07:53 -0700

Those of us in the tin-foil hat community (and I include myself) can do a lot with the more advanced identity control tools in OpenID. Though we already can do that, and many of us already do, with the old fashioned password reminder tool in the browser or various plugins.

Again, as I said, the easier you make it to hand over identity info, the easier it is to demand it.

Directed identity in OpenID 2.0

Simon Willison — Fri, 29 Jun 2007 17:48:35 -0700

Hi Brad,

Great post, lots of stuff to think about here. Are you aware of the directed identity stuff going on to OpenID 2.0? Essentially it will let you enter the URL to your OpenID provider (rather than your specific OpenID) - your provider will then generate a one-time OpenID that only works for you on that particular site, preventing that site from correlating your accounts. Your provider will still know which accounts you are using, but at least you can chose your provider based on their privacy policy.