My company Urban Airship just closed a round of venture financing. We’re pretty excited about it.

(Note: I needed this post here to force an update to Google search results – long story … I’m not navel gazing here)

It turns out Google I/O is the week of IIW.  We found out to late to shift weeks but early enough to shift days to only conflict 1 day (the 19th).  Please mark your calendars accordingly.

Early Bird Registraiton is in effect for another Month. Sponsorships and “big tickets” (for those who can expense a higher ticket price but can’t get actual “sponsorship budget”) are still available.

Related posts:

1. FREEDOM Infringed…
2. Identity Open Space: SIGN UP INFO
3. IIW IX is open for business

There are a few events on the yearly calendar where a corum of identity folks come together – RSA is one of them.

We are organizing an informal community Dinner on Tuesday evening at 7pm.

Everyone is WELCOME! just RSVP here on eventbrite. It will be no-host but not that expensive. We are looking at Indian places near the main hotel cluster for RSA.

The hosted Ping Party will follow at a location TBD.

If you were ever a part of or are interested in knowing more about the Identity Gang, OpenID, Information Cards, Higgins, Project VRM, PubSubHubbub, Salmon, XRD, LRDD, XRI, XDI, Volunteered Personal Information, UMA, Kantara, DiSo, Open Social, augmented browsing,  end user focused proctols for individual and community empowerment  this event is for you.

Related posts:

1. Identity for Online Community Managers
2. Identity Gang Dinner at RSA
3. Where is Identity: Supernova 2007 Panel: Do you know where your Identity is?

Next month we are hosting a gathering called Map the Gaps. It came out of a session I ran several IIW’s ago asking the question what if there was a “Legal-IIW” the intent was always to cross communities and connect activities already in this area.  The intent from the beginning was to connect with and work with PPEG at Liberty Alliance. I am happy to be working with Robin from Kantara who ran the PPEG group at Liberty Alliance. Lucy from the Internet Society has been a real champion of the event.

We are threading the needle of size and accessability. Our intent is to make as much as possible about the conversation public and report out.  We also know that the energy is really different with 20-30 people vs. 100.   We are seeking interest particularly from technologist who are interested in understanding how Lawyers think and how different aspects of law are going to end up impacting the technologies they build and how those technologies will change the law.

You can see the matrices we are looking to fill in here on the ID-Commons wiki.

Here is the invitation and this is a link to express interest in attending.

Identity Commons and The Kantara Initiative
present an identity workshop and symposium to
“Map the Gaps”
Sponsored by the Internet Society.
March 18th-19th, 2010, Washington DC

The event will be attended by representatives of the diverse identity communities to help “Map the Gaps” that currently exist between the policy/legal and technology views of digital identity and online privacy.

The intention of the “mapping” exercise is to benefit the overall identity community by cataloguing and examining the characteristics and approaches of various online identity-related technical and legal initiatives, so that they can be applied to find common ground to integrate the research and development initiatives in the identity space.

The infrastructure for online identity continues to evolve, and increasingly raises social and privacy questions which are large, complex, and cannot be solved either by technology alone, or by a “single-stakeholder” approach.

While technologists and lawyers have worked separately in the past, identity technologies are now bringing people together in ways that are so intimate and far-reaching that they change both the way humans relate to technology, and the technologically-mediated ways humans relate to each other. Many of those technologically-mediated interactions are the subject of various established laws, which must now be reviewed in the light of this evolution: the technology cannot properly develop without legal guidance and vice versa.

This effort will depend upon the identification and creation of common concepts, language and paradigms to guide future development in the area.  Our aim is to bring technologists and legal and policy professionals together, establish a common understanding of each other’s domains, and map out the gaps which subsequent work would aim to bridge.

The “Map the Gaps” event will provide participants with a forum to contribute various perspectives on identity-related themes, the output of which may be coordinated with American Bar Association events as well as within working groups at ID Commons and the Kantara Initiative.

Due to limited space, the event is being held by invitation only.  There are, however, other ways to participate in this important work, including submitting written materials for inclusion in symposium online materials.

In order to assure that the broadest possible representation of interests is achieved to inform the work that will take place at the symposium, all submitted papers will be made available to attendees and others on the Identity Commons and Kantara symposium-related websites.

Limited spaces have been reserved at the symposium for a few additional invitations to be extended to individuals and institutional representatives based on a review of submitted papers.  Additional invitations may be extended based on those papers that offer significant perspectives and insights that are perceived to be different than or complementary to those already represented by the existing symposium attendees.

Next steps:
The symposium will be interactive and participant-driven: we ask all persons who would like to attend the meeting as participants to contribute, in advance (and no later than February 28, 2010), a brief (250-500 words) position paper, analysis or other  description of an interesting or pressing problem they have encountered in this field.  Papers will be posted as noted above, and we will extend invitations for participation to the authors of those papers that satisfy the criteria indicated above.

To express interest in the “Map the Gaps” workshop and symposium:

https://www.isoc.org/isoc/conferences/registration/?id=19

Event Committee:

• Scott David, K&L Gates LLC.
• Lucy Lynch, Internet Society
• Kaliya Hamlin, ID Commons
• J. Trent Adams, Internet Society
• Robin Wilton, Future Identity, Ltd.

Related posts:

1. Online Community Unconference East
2. Legal Haze for Social networks. Identity and Freedom of Expression.
3. Announcing The Virtual Rights Symposium on Digital Identity & Human Rights

First, my apologies to everyone who commented on Fixing the Google Account Problem. For some reason WordPress stopped notifying me about comment approval (I’m using Akismet but I still find the majority of comments that get through it are spam, so I moderate comments). So I just logged in and found a bunch of great comments, including several that I replied to.

Three clear themes emerge from these:

1. The problem is even worse if Google Apps is involved. Apparently there isn’t a solution to merging a Google account and a Google Apps account yet (which frightens me because I’m about to need to set up my first Google Apps account).
2. Using email addresses as primary account identifiers is problematic, period.
3. Internet identity managment, especially at scale, is hard. A lot harder than it looks.

I’m told the good folks at Google have been discussing this. Please feel free to add more suggestions about exactly what you think they should do.

Sometimes the results of OpenID logins look a little bit strange, certainly not as expected by users. Blog comments are a good example. Usually I would expect my real name or username displayed there but occasionally it looks like this:

The provider simply didn’t send my name (Google in this case).

While some providers allow personas, i.e. users can create different sets of login information, e.g. one with a business email address and one with a personal one, the most don’t. So what can users do if they want to change
any of the information like name or email address? Actually not very much. Changing the information before each login at the provider is not really an option. Switching to a provider that features personas is a good idea but doesn’t suit all users.

Disqus is a comment system for various platforms like WordPress, Drupal, and many more, and is tackling at least one part of this problem in a rather elegant way. Among other ways it lets users comment with their OpenID. When commenting users see this popup:

They can easily change the display name. It’s a small popup, it’s unobtrusive, and a good example of how relying parties can improve the user experience of OpenID. Well done!

If you want to know, read through this slide presentation put together by Joint Venture Silicon Valley and the Silicon Valley Community Foundation. It aggregates a wealth of data.

One thing that struck me particularly: it says that 45% of all people speak a language other than English at home. That is more than the third of people who were foreign-born.

When I joined the company a month ago, I was baited with the promise that Google was ready to get serious about the social web.

Yesterday’s launch of Google Buzz and the fledgling Google Buzz API is like a downpayment on what I see as Google’s broader social web ambitions, that have been bubbling beneath the surface for some time. Understand that Buzz is not entirely an end unto itself, but a way for Google to get some skin in the game to promote the use and adoption of different open technologies for the social web.

In fact, I’d argue that Buzz is as much about Google creating a new channel for conversation in a familiar place as it is about how we’re going about building its public developer surfaces. Although today’s Buzz API only offers a real-time read-only activity stream, the goal is to move quickly towards implementing a host of other technologies — most of which should be familiar to readers of this blog.

As Kevin Marks observes, in order to address the mess of the social web that Mike Arrington described, we need widespread use [of common standards] so that we can generalize across sites — and thus enable people to interact and engage across the web , rather than being restricted to any particular silo of activity — which may or may not reflect their true social configuration.

In other words, standards — and in particular social web standards — are the lingua franca that make it possible for uninitiated web services to interact in a consistent manner. When web services use standards to commoditize essential and basic features, it forces them to compete not with user lock-in, but by providing better service, better user experience, or with new functionality and utility. I am an advocate of the open web because I believe the open web leads to increased competition, which in turn affords people better options, and more leverage in the world.

Buzz is both a terrific product, and a great example of how the social web is evolving and becoming truly ubiquitous. Buzz is simply one more stitch in the fabric of the social web.

I receive an email from a friend:

Drummond,
As my Word expert, how do I turn off the “balloon” captioning of redline changes?

I think, “Good question. I have no idea. I’ve often wondered that myself.” I’m about to start typing that answer to his email when I remember The Incredible Internet Answer Machine

I open a browser tab and type into the Google Search Bar “Microsoft Word bal…”

Google’s AutoSuggest completes it to “Microsoft Word balloons”.

I click Search.

In .25 seconds the answer is back and the second entry on the list is:

“How to turn off balloons for comments and tracking changes in Word“

.25 seconds. My brain doesn’t even think that fast.

Mind you, the NoSQL community still has a lot of work to do, years and years of work, InfoGrid and many other NoSQL technologies non-withstanding.

But I remember that when I first heard about what SQL is and what it does (particularly, what it can’t do), I thought: “this can’t be true. How many billions in revenue and market cap depend on that oddity?”. That was about when SQL was only about half as old as it is now… which makes this even scarier. (Try: no recursive queries. No abstract data types. No inheritance. No (meaningful) distributedness. No … <insert many other things here>. And how many thousands of lines would you like to write on object-relational mapping today? … )

So with that hat on, I’m proud to display this image as a bumper sticker, which comes from a presentation by Tim Anglade. May SQL never come near you If it does, run!

Disclaimer: I don’t build payroll systems for a living. If I did, I might think otherwise. But I think they have all been built, and the new stuff does require thinking much more along these lines.

Mike Arrington is complaining about fragmentation of his personal media:

Everything is decentralized, and no one is working to centralize stuff. I’ve got photos on Flickr, Posterous and Facebook (and even a few on MySpace), reviews on Yelp (but movie reviews on Flixster), location on Foursquare, Loopt and Gowalla, status updates on Facebook and Twitter, and videos on YouTube. Etc. I’ve got dozens of social graphs on dozens of sites, and trying to remember which friends puts his or her pictures on which site is a huge challenge…

Someone will eventually help us make sense of all these various types of services…

He says the problem is decentralization, but I think he means fragmentation, rather than decentralization. After all, if he didn’t like decentralization he could simply “just do Facebook” (or whatever single site) and there would be no problem. But like most, he doesn’t seem to be interested in picking a single centralized service.

To which Kevin Marks responds:

To solve the social conundrum we need the equivalent - agreed standards in widespread use so that we can generalize across sites. Fortunately, we have these. We have OpenID and OAuth for delegated login; we have XFN, other microformats and Portable Contacts for public and private people connections; we have Feeds and Activity Streams for translating social actions between sites.

This enabling social infrastructure means that we’ll be able to have a new generation of sites that enhance our web experience through social filtering without our connections being centralised in a single company’s database.

Amazing that everybody thinks decentralization is the right approach, and Kevin is certainly right that the continuing adoption of these standards helps de-fragment our fragmented social media universes.

When I disagree is in that I think these standards are necessary, but not at all sufficient. Example in point: OpenID. Just because two sites both implement OpenID, it does not mean that if I log into the first, I’m automatically logged into the second. It does not mean that the GUI looks the same for OpenID at both sites. It certainly does not mean that both sites even know I’m the same person, even if I used the same identity provider. Similar issues arise around all of the other “social connectivity” standards, and even more so when put together.

What Mike Arrington wants, and very reasonably so from the perspective of the user, is massive simplification. We’ve made huge strides in the past 5 or so years in building up a technology stack that begins to address some of these issues, but we are far, far, from being done to get to that simplification Mike asks for. The biggest problem is that nobody can quite articulate how it would look like, other than “simple” in some fashion. Kind of hard to build technology for that kind of specification …

I know reams have been written about “are we all getting dumber because the Internet is getting smarter?”

But still, it does take my breath away, almost every day.

In another one for the “new heights of irony” file: I was using Gmail this morning and once again wondered about the little orange dot that appears next to the names of some email senders.

I’d wondered at least a half dozen times before what this meant, because when you hover over it, there’s no balloon (there should be, Google).

So this morning I finally asked The Incredible Internet Answer Machine.

I just opened another tab and typed “Orange dot in Gmail” into my Google search bar.

The #1 hit (in .29 seconds) was the exact answer to my question…

…in Yahoo Answers!

(We’re going to have to rename it The Incredible Internet Irony Machine )

BTW, the answer is: Orange means the sender is using Gmail but is in “idle” status because they haven’t looked at their Gmail page in awhile – they are busy using some other browser tab or application. Green = active on Gmail now, Red = busy, Grey = offline.

This may be the only blog post I ever write with no link in it. But, reading today that Avatar has finally knocked off Titanic as the #1 grossing movie of all time, one hardly needs to provide a link to either.

Given my passion for film, I just want to say: hats off to James Cameron. He may not be the most likeable character in the world. But twice now this man has taken me and countless others (a signficant percentage of the human population, in fact) to a place in film an ocean beyond (or a planet beyond) what we have ever experienced before.

Which really is a new place in consciousness, when you think about it.

I thank him for that, and everyone who helped him realize his vision.

Two pieces of advice:

1. See it in 3D. It doesn’t matter how long you wait to do it. Just see it in 3D.
2. Sit as close to the axis of the center of the screen as you can, i.e., both in the middle of the theatre and at the height of the center of the screen. It really helps with the 3D experience. Ironically in most 3D theaters this is usually the back row or very near it. In other words, the vast majority of the seats are way too close. Go figure.

123

Related posts:

1. Yes there is Post-Post Modernism
2. Does OpenID meet P___/Activist test yet?
3. FastCo Post on Governemnt Experiments with Identity Technologies

Steven J. Murdoch and Ross Anderson, in the very worthwhile “Verifi�ed by Visa and MasterCard SecureCode: or, How Not to Design Authentication” assert:

While other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology they got the economics wrong…

To which I can only respond: “you wish. We don’t have any security economics! Not even the wrong ones.”

In the past, every time I brought up this issue in the OpenID community, I got nowhere. (The Information card community has slightly better ones due to the possibility of branding, but it has bigger problems to worry about right now.) But perhaps it is time to try again …

A lots of techies seem underwhelmed by yesterday’s iPad announcement. But Kevin Marks has a good pro-iPad point of view. I have another one to add:

Yep, we have seen all the pieces that make up the iPad: unibody, touch screen, WiFi, 3G, flash, big button in front, dock, … So technologically, it’s indeed a “yawn”. But this ignores the market innovation that it enables, which is the opposite of a yawn.

Just two examples:

• in healthcare, I can totally imagine hospitals putting up a stand+keyboard for the iPad in every treatment room, and the doctors and nurses carrying iPads. When they enter the room, they put the iPad on the stand, initially switched off, and figure out what’s wrong with you. Then, they can immediately enter what they need to into their medical records system.
  This is the first device for which this has ever been true! It can be carried, it wirelessly connects, it has the battery life, and it is big enough you can actually see something. The iPhone was the closest before, but the iPad nails it. That’s not just a billion-dollar market for Apple, but there is a very good chance we’ll all end up healthier!
• in education, it’s the device that could make printed textbooks obsolete. At $499 plus volume discount, that might even save the school districts money! And imagine what a textbook could turn into if you carried it around like an iPad with WiFi and high-end graphics available.

It’s very impressive that Apple manages to innovate technologically and market-wise in the same company. Any other company that knows how to do that?

I’m happy to announce today that I’ve accepted a job at Google, working on the newly formed Social Web team. I will be joining fellow new-hires Joseph Smarr and Chris Messina, as well as a host of other incredibly talented engineers, in contributing to the emerging standards and growing developer community in this space.

Instead of the long contemplative post on how this move is the next logical step in a career of working in Identity Management, I’ll keep it short. I start work next Monday, February 1st, and I’m a bit pre-occupied this week with getting moved from Portland, Oregon down to Half Moon Bay, California.

I expect great things from our team in 2010, and so should you.

I finally got around to listening to Remarks on Internet Freedom made by US Secretary of State Hillary Clinton. This is powerful stuff and if history has a decent memory this should become a fairly prominent moment. In my mind, it is the first substantial framing of access to information via the internet as a universal human right. My only complaint is that her ideals fall flat on what I would consider to be an additional human right — anonymity.

This is an excerpt about anonymity from her speech (emphasis is mine):

Now, all societies recognize that free expression has its limits. We do not tolerate those who incite others to violence, such as the agents of al-Qaida who are, at this moment, using the internet to promote the mass murder of innocent people across the world. And hate speech that targets individuals on the basis of their race, religion, ethnicity, gender, or sexual orientation is reprehensible. It is an unfortunate fact that these issues are both growing challenges that the international community must confront together. And we must also grapple with the issue of anonymous speech. Those who use the internet to recruit terrorists or distribute stolen intellectual property cannot divorce their online actions from their real world identities. But these challenges must not become an excuse for governments to systematically violate the rights and privacy of those who use the internet for peaceful political purposes.

While I appreciate her restraint, I disagree with the spirit of her statement here. The sentiment that people who speak or share information must be identifiable is coming from a position of fear. It is the corner of the despot that knows that their ideas can not rule on their own merit. It is the corner of indoctrinators who know that certain information and material is pervasive and will mutate the vision they are trying to put forth. This is the position of a democratic society where free speech is glorified while thought control is still a pillar of the institution therefore requiring some form of leverage even if it is mechanical and superficial.

Right now, the filtering technologies created by American companies which is intended to be used modestly by parents to keep their children innocent or companies to keep their employees productive are the same technologies, in many instances, that are being used to silence and oppress in other countries. If I am correct in reading the implication here that anonymity should be met without respect or protection because it can be used for bad, then we’re in a lot of trouble. That attitude will only lead to less user-centric and user-driven identity technologies.

As someone who works with OpenID, a technology meant to provide universal user-centric identity on the web, I take this very seriously. As identity technologies become more magnetic and the ability to correlate seemingly splintered identity attributes becomes easier, the value of anonymity will increase. It should be this generations responsibility to embed our collective moral attitude with the protection of anonymity. Laws and social norms should point to technology that communicates, transparently, the level of known information at any given time, including any correlated information, so that the user is empowered to make the choices they feel comfortable with. This also means communicating who has access to your identity whether that’s a person, an affiliate company, or another service coming through an open API. All current implementations of distributed identity, including OpenID and Facebook Connect, currently fail tremendously to communicate this information transparently and prominently.

So what about pirates and thieves and thugs? What about predators and terrorists? These labels are applied to people following ideas and feelings. Piracy persists because people feel they have a right to material. Maybe they are wrong or maybe they are right. Somewhere along the line, they failed to be convinced of the opposing point of view. Take this as a challenge to reinforce your perspective and push it deeper into our collective moral view. The same principle applies to dangerous people. Centuries ago, it may have been possible to jail or kill people who were following a dangerous idea. While we should still follow some traditional patterns of peace-making, in a world with a global information network where people have a universal human right to access information, the flow of dangerous ideas will still persist and we must be more creative. Identifying the people who spread dangerous ideas is highly desirable but ultimately ineffective when the dissemination of material is rapid and far reaching. The real challenge is to identify why certain ideas are adopted and what truth can be used to counter it. Truth stands on its own merits. It does not need to be protected from questions, regardless of how offensive the questions may seem, and it is not scared of being shown in the light of day.

Maybe I’m wrong about this. I’ll admit, it’s a complicated subject and I’ve not totally committed myself to anything. In the end, Hillary Clinton was asked a more pointed question about anonymity and she expressed uncertainty as well. If you have any thoughts, I welcome you to share it.

Every so often you experience a technical problem you can’t find any information about and which takes you forever to solve. Then, after you finally solve it, you are left scratching your head saying, “I don’t get it­—there must be millions of people with this problem—why is there so little information about it?”

Once before, back in 1991, I ran into such a problem with Windows 3.0. After finally solving it, I shared my solution with my friend Seattle Times tech columnist Paul Andrews. He published it in his column, and it turned out that thousands of people had the same problem but nobody understood quite what was happening. So that’s why there was so little information about it.

Now 20 years later, even though we’ve got the Internet and Google and all, I’ve just been through the same experience. And the irony? The problem is with none other than Google accounts—the very accounts that we need from this search giant to access many of the services it offers.

Over the holidays I finally bore down, worked the problem all the way through, and solved it. And throughout the process I was consistently stunned to find so little information available about it, either from Google or anywhere else.

So this time around I’m being proactive about it and publishing the solution right here so it will be easy for anyone to reference. (And, of course, for Google’s own search engine to find — the Internet brings new heights to irony.)

Warning: read this all the way through. The easy fixes are also the ones you may live to regret.

The Problem

1. A friend shares a Google doc with you.
2. You receive an email containing a link to this Google doc.
3. When you click on the link, you are prompted to log into your Google account, but once you do, you can’t get access to the doc because the email address that the friend used is not the same email address you used to originally create your Google account.

Arrggh! (That’s an exact quote from an email I just received from a friend for whom I’m solving this problem by writing this blog post!)

The Simple Solution That Will Get You In Trouble

There is a simple solution for which I thank George Fletcher of AOL, who first explained it to me and others on the OpenID mailing list who were having this problem a few years ago.

The solution is: register a new Google account under the email address that your friend used to share the Google doc with you.

It’s very easy…BUT…read the warning afterwards as to why it’s a red herring.

1. Go to http://google.com.
2. If you are signed in, sign out (top right corner).
3. On the next screen (the plain jane Google home screen), click the Sign in link in the top right corner.
4. On that screen, underneath the login box on the right, click the link “Don’t have a Google account? Create an account now”.
5. Even though you may already have a Google account, enter the email address you want to register for another Google account (the one your friend sent the Google doc too).
6. Confirm the email address via the standard process.
7. When you are done, log in using to this new Google account (using the email address you just registered, not the one for your other Google account).
8. Go to Google Docs (http://docs.google.com).
9. The Google Doc your friend shared with you will be on the list.

Yes, it’s that simple. BUT…

The New Problem This Creates

The reason NOT do solve the problem this way, to which I can attest by long and painful experience, is that while you will now have access to all the Google docs shared with you…you will also have to log in and log back out of each of your different Google accounts in order to access the different sets of Google docs shared with you under your different email addresses.

This might seem like a small pain at first, but believe me, after the 500^th time you will be wishing there was a better way.

There is.

The Better Solution…That Still Isn’t the Right Answer

The “better way” is a standard feature of almost any identity or directory system: aliases. (Disclaimer: I’m in the Internet identity business, so this is the kind of stuff I deal with all the time.) In an identity or directory context, an “alias” is just an alternate name for the same account. And in fact Google accounts supports aliases. What’s interesting, though, is that: a) they don’t call them “aliases”, and b) aliases for Google accounts are completely different than aliases for Gmail accounts.

Gmail accounts, you ask? What’s the difference between a Google account and a Gmail account?

Therein lies a whole ‘nother can of worms (and possibly the reason there is so little information about the Google account problem).

Let me start by explaining the difference (as best I understand it – this WHOLE BLOG POST is an open invitation for the good folks at Google to correct any of my misunderstandings and provide better explanations).

First, a Google account and a Gmail account are not exactly the same thing. The first rule is: every Gmail account is a Google account, but NOT every Google account is a Gmail account.

In other words, if you have a Google account that is NOT a Gmail address, then you have a Google account that is NOT a Gmail account.

The second rule is: BOTH a Google account AND a Gmail address can have an alias. BUT THEY ARE NOT THE SAME THING, AND NEITHER CALLS THEM ALIASES.

I am not making this up. An alias on a Google account (and remember, every Gmail account IS also a Google account) is another name for the entire Google account. But for Gmail, an alias is ONLY an alternate email address that you can send or receive email from using your Gmail account. A GMAIL ALIAS IS NOT A GOOGLE ACCOUNT ALIAS. A GOOGLE ACCOUNT ALIAS IS NOT A GMAIL ALIAS.

Is that clear as mud?

Now, adding an alias to a Gmail account is quite easy, remarkably powerful (most people have no idea how much flexibility Gmail offers to manage your email for any number of email accounts), and surprisingly poorly documented. I just spent 10 minutes searching Gmail for help on this just to see if there was a Gmail help page I could just link to.

Nope.

So here’s how.

Instructions for Adding an Alias to Your Gmail Account (but NOT for your Google Account Even If It Is a Gmail Account!)

1. Login to your Gmail account.
2. Click the Settings link in the top right.
3. Click the Accounts and Import tab.
4. In the second section, Send mail as, click the button labelled, Send mail from another address.
5. Enter the email address as instructed.
6. Google will send you an email with a link you must click to verify you own the address.
7. Go to that mail account, find the mail, click the link (it all takes about 30 seconds).

You’re done. Go back to your Gmail Settings page, click the Accounts and Import tab, and the new email address will be listed in the Send mail as section. You can now send email from this email address by choosing it in the d“From” rop down box in Gmail. (See the help link for more info about the different ways you can send mail from a Gmail alias.)

You can add as many email adddresses as aliases to your Gmail account as you want (at least I couldn’t find documentation about a limit). But keep in mind that all of these will ONLY be Gmail account aliases, not Google account aliases — and having them as Gmail aliases does nothing to solve the Google account problem.

So you have to go through a different process — even with the same set of email addresses — to make them Google account aliases. (For example, I have the same four email addresses as BOTH Gmail aliases and Google account aliases.)

The following instructions apply for adding an alias to ANY Google account (whether or not it is a Gmail account), BUT—and this is a big BUT—if your Google account is NOT a Gmail account, keep reading afterwards about why this can come back to bite you.

Instructions for Adding an Alias to Any Google Account (Even If It Is a Gmail Account)

1. Go to www.google.com/accounts. That is the home page for configuring any Google account. If you’re currently logged into Google, Google figures out which Google account you are using via a cookie in your browser. If you’re not logged in, they’ll prompt you to login, and the Google account you will be configuring is based on the email address you use to login.
2. Once you are logged in, confirm it is the correct Google account by checking the email address in black text at the very top of the page (on the left side of the block of links in the top right corner). If this is the right account, proceed. If this is not the right account, meaning you want to add an alias to a different Google account, then sign out (upper right corner), then sign back in under the email address for that different Google account.
3. Under Personal Settings in the top center of the page, the entry at the bottom of the column will be Email addresses. If you have not yet added any aliases to this Google account, you will see only one email address—the same email address as at the top of the page. It will have the grey words (Primary email) next to it. This is the “primary key” for this Google account. You can’t change it! See the warning below.
4. To add an alias (do you see the word “alias” anywhere near here? Or anywhere on this screen? Does Google give you any clue that this is where you should go to access such a feature??), click the Edit link below this email address.
5. On the next screen (https://www.google.com/accounts/EditUserInfo), you will see two blocks: Edit personal information and Add an alternate email address to your account. You want this second block.
6. At the bottom of this second block is a text box labeled: Add an additional email address. Enter the email address you want to add as an alias (the one to which your friend shared the Google doc you can’t access) and click Save.
7. The next screen will tell you that you’ve been sent an email to verify that address.
8. When you receive the email, click the link in the email.

Congratulations, you have just set up that email address to be an alias for your existing Google account.

The benefits?

1. It no longer matters which of your two email addresses your friends share a Google doc with. Either way, the Google doc they shared will show up in your Google docs dashboard at http://docs.google.com. As far as I know, this is true for all the email addresses you add as an alias (again, I don’t know if there is a limit).
2. You no longer have to log in and out of two different Google accounts. All your Google docs will be there in your one master account. Hooray!

Now for the final gotcha. You can do all the above and still end out with a royal headache one day because of the following rule Google explains when you register an alias as described above:

You can use alternate email addresses to sign in to your Google Account, recover your password, and more. Alternate email addresses can only be associated with one Google Account at a time.

In other words, for good security reasons, you can only add an email address as an alias to one Google account at a time. On the surface that doesn’t appear to be an issue…until you circle back to what I explained above…that every Gmail address is also a Google account. By simple deductive logic, you arrive at this conclusion:

You cannot add a Gmail address as an alias to ANY Google account!

In other words, at Google, all email addresses can all serve as primary keys for Google accounts BUT only only non-Gmail accounts can serve as an alias (a secondary key).

So it boils down to this: if have a Gmail account, or ever plan to get one, then you are forcing yourself into the multiple-Google account problem for life UNLESS…

…you make your Gmail account your primary Google account.

Yup, that’s the secret. As long as you make your primary Google account a Gmail account, you’ll never have the problem of wanting to use Gmail but finding yourself forced into the multiple-Google account problem.

What To Do If You Already Have the Multiple Google Account Problem

Okay, say you’ve already fallen into this trap. You did what I did several years ago: created your own non-Gmail Google account using a non-Gmail email address so you could access Google docs under that email address. Then later you started using Gmail, and so now you have at least two Google accounts (and maybe more). And people are constantly sharing Google docs with you under one or the other of the two (or more) email addresses, and you are driving yourself nuts logging in and out of Google trying to remember which email address was used to share which Google doc.

But you CAN’T take your non-Gmail email address and make it an alias to your Gmail Google account (as I advise) because your non-Gmail address is already a Google account.

How do you fix it?

The answer is: a) completely undocumented (at least I couldn’t find it), and b) scary as hell.

That’s why I’m writing this blog post. There’s no reason Google needs to make this so hard. Why they haven’t written it up in one of their generally decent Help articles I have no clue. I even wrote one of my identity friends at Google to ask him. His answer was essentially, “This is just too hard for most users to understand.”

Well, that may be true, but IMHO it’s not a reason to withhold the documentation. The users who are experiencing the problem are highly motivated to understand it, and in fact the solution is pretty easy once you know what it is.

It’s just scary.

In brief, the way to make a non-Gmail Google account an alias for your Gmail account is to first delete the non-Gmail Google account.

Completely. Kaput. Gone. Which, as you might suspect, would ordinarily mean YOU LOSE EVERYTHING ASSOCIATED WITH THAT ACCOUNT.

How’s that for a scary thought? Honestly, that’s why I held off fixing this for so long. Who wants to bother with working around that?

Luckily, the workaround is not that hard once you know what it is and you are sure it is going to work. That’s the other reason I’m writing this blog post: I could not find anything posted anywhere – or even get it confirmed by those I knew at Google – that this procedure would work and everything would be okay in the end.

But I finally got so tired of the problem that I just did it, and I’m happy to say it works just fine.

So: please read and follow the instructions below carefully. I don’t want anyone coming back and telling me that they lost precious data because of my advice that they delete their Google account.

Part One: Share (or Otherwise Backup) All the Data in the Google Account

1. First, make sure you have at least one other Google account (preferably a Gmail account—see above—however this procedure should work with any other Google account. In these instructions I’ll assume this other account is a Gmail account.)
2. Go to the home page of the Google Account you want to delete at  https://www.google.com/accounts/ManageAccount.
3. Make sure this is the account you want to delete by checking the correct email address in black text at left end of the links at the very top of the page.
4. Under Personal Settings, click on the Dashboard link (second one down) called “View data stored with this account”.
5. This helpful utility (created for personal privacy management) will show you all the data you have at Google associated with this account. Now comes the hard part. You need to go through every Google service on this list, then go through any associated documents or data files for each of those services, and share them with your Gmail account. Even more importantly, if you are the owner any document/file, then transfer ownership to your Gmail account. If you don’t own a document/file (someone else shared it with you), don’t worry, you can’t lose it when you delete this Google account. But, as long as you have Edit privileges on the document/file, share it with your Gmail account just so you don’t have to go back to the original owner and ask them to reshare it later. If whomever shared it with you DIDN’T give you Edit privileges, just contact them and have them share it again with your Gmail account.
6. Did I say do this for EVERY document/file in EVERY Google service you use? Go back to your Personal Dashboard and check it again.
7. IMPORTANT: as a final check, log into your Gmail account and VERIFY that all the docs are shared. If you own the document/file, VERIFY that your Gmail account is the new owner.
8. Check everything one more time. If you are unsure than anything has been shared and will not go “poof” when you delete this Google account, just download a copy to your local hard drive (or email it to your Gmail account). Like I said, never come back to me and say you lost any Google data because of this blog post.

Part Two: Delete the Google Account

1. Go back to the home page for the Google account you want to delete: https://www.google.com/accounts/ManageAccount.
2. MAKE SURE this is the right Google account by confirming the email address in black at left end of the links at the very top of the page.
3. Next to the My products header (the second horizontal section down the page), click the Edit link. This should take you to https://www.google.com/accounts/EditServices.
4. The second option on the page is to Delete Account. Choose that option and follow the instructions to confirm you want to permanently delete this account (and wipe that sweat off your brow). Seriously, if you’ve shared or backed up all the files associated with this account, you’ve nothing to fear. It’s just like reformatting a hard drive <ouch>.

Once you’re done, take a deep breath. Wait 15 minutes. (I don’t know if you actually have to wait this long, but I figured it’s long enough to wait for Google’s servers to go through all their account deletion machinations.)

Part Three: Add The Alias to Your Primary Google Account

1. Log back in to your Gmail account (or whichever Google account you want to make your primary).
2. Follow the instructions earlier in this blog post to add the email address (for the Google account you just deleted) as an alias to this Google account.
3. Once Google confirms it as an alias, you’re done.

Problem solved.

Why It’s Still Not Perfect: A Final Warning

It’s worth pointing out that privacy, not just security, can be an issue with account aliases. Sometimes you don’t want someone to know you are using Gmail address to do all this cool stuff. But if your Gmail account is your primary Google account (as I advise), then take note of the following warning:

Note: In some Google services, if you share your alternate email address with your contacts, they might be able to learn your primary email address.

In short, Google hasn’t fully figured out yet how to provide you with completely separate personas on the Web. In my personal opinion, they would be well-advised to do so. It’s not easy — acheiving this level of privacy can be as hard as acheiving corresponding levels of security. But Google has the talent and, I believe, the motivation to attain this goal. I hope they consider it soon.

Joe Andrieu has a wonderful way of cutting the Gordian knot on complex socio-technical topics, with clear prose, compelling arguments, and clever illustrations that explain why you should look at something decidedly differently.

Now he wields that knife on the very knotty “problem” of data ownership.

I passionately agree with Joe (and his Kantara Working Group co-chair Iain Henderson) on this subject; I suspect it’s because my perspective on it was long ago warped by the lens of XDI, which itself is a new way of thinking about data.

Turn the telescope to look at personal data from the standpoint of who controls its  sharing with whom, and many pieces finally come into focus.

Keep that in mind as we move into an XDI-enabled world.

Sounds like the Obama government is picking up the cause of what Nick and I called the Digital Deal. Amazing! This is powerful stuff, coming not from some fringe group but from the US Secretary of State Hillary Clinton.

Here are quotes from her speech today:

Franklin Roosevelt … delivered his Four Freedoms speech in 1941 …. principles adopted as a cornerstone of the Universal Declaration of Human Rights…

The final freedom, one that was probably inherent in what both President and Mrs. Roosevelt thought about and wrote about all those years ago, is one that flows from the four I’ve already mentioned: the freedom to connect – the idea that governments should not prevent people from connecting to the internet, to websites, or to each other. The freedom to connect is like the freedom of assembly, only in cyberspace. It allows individuals to get online, come together, and hopefully cooperate.

This is exactly how I would have put it. It’s assembly, just on a different type of town square, and just as important as the other fundamental human rights.

It’s smart she puts it as “flows from” what more countries signed already than they are now comfortable with.

She continued:

The United States is committed to devoting the diplomatic, economic, and technological resources necessary to advance these freedoms…

We’re including internet freedom as a component in the first resolution we introduced after returning to the United Nations Human Rights Council…

We are providing funds to groups around the world to make sure that [new tools that enable citizens to exercise their rights of free expression by circumventing politically motivated censorship] get to the people who need them in local languages, and with the training they need to access the internet safely…

Now, ultimately, this issue … [is] … about whether we live on a planet with one internet, one global community, and a common body of knowledge that benefits and unites us all, or a fragmented planet in which access to information and opportunity is dependent on where you live and the whims of censors.

… Historically, asymmetrical access to information is one of the leading causes of interstate conflict. When we face serious disputes or dangerous incidents, it’s critical that people on both sides of the problem have access to the same set of facts and opinions.

For companies, this issue is about more than claiming the moral high ground. It really comes down to the trust between firms and their customers. Consumers everywhere want to have confidence that the internet companies they rely on will provide comprehensive search results and act as responsible stewards of their own personal information. Firms that earn that confidence of those countries and basically provide that kind of service will prosper in the global marketplace. I really believe that those who lose that confidence of their customers will eventually lose customers…

This is exactly how I put it over at Upon 2020 when discussing Google’s China move a few days ago. 10 years ago, it wouldn’t have mattered. 10 years in the future it will be decisive in the marketplace. These are the early rumblings. Mark my words.

And censorship should not be in any way accepted by any company from anywhere. And in America, American companies need to make a principled stand. This needs to be part of our national brand. I’m confident that consumers worldwide will reward companies that follow those principles…

We cannot stand by while people are separated from the human family by walls of censorship. And we cannot be silent about these issues simply because we cannot hear the cries.

There is of course always the issue of how sausage is made, in international politics even more so than domestically. But it’s a good start, certainly better than I would have dreamed.

P.S. Spot the worst offender in this list from her today: “Violent extremists, criminal cartels, sexual predators, and authoritarian governments…”

Ping Identity^®, the leader in Internet Identity Security, today announced it has joined the OpenID Foundation to help develop, promote and extend digital identity and choice on the Web.   Pam Dingle, a senior technical architect in Ping Identity’s Office of the CTO, will represent the company on the OpenID Foundation’s board of directors.

“The marketplace is increasingly looking for open, multi protocol identity solution sets that Ping and other members of the Foundation have innovated,” said Don Thibeau, Executive Director of the OpenID Foundation.  “Ping Identity’s decision to help shape the strategy of the OpenID Foundation signals a phase shift in the evolution of the open identity infrastructure.”

Ping Identity is committed to extending the functionality of Internet Single Sign-On across a growing number of critical corporate and consumer communication channels.  As a sustaining member of the OpenID Foundation’s board of directors, Ping Identity joins a distinct group of digital identity thought leaders to accelerate open options for securely managing digital identities.

“Protecting digital identities including securing user access is quickly becoming a business and personal imperative,” said Ping Identity CTO Patrick Harding.   “As an OpenID Foundation member, Ping Identity brings almost a decade of Internet SSO experience together with a broad range of security disciplines to help overcome the security and interoperability barriers to long term success.”

The OpenID Foundation represents the open community of developers, vendors, and users. The organization assists the community by providing needed infrastructure and help in promoting and supporting expanded adoption of OpenID. This entails managing intellectual property and brand marks as well as fostering viral growth and global participation in the proliferation of OpenID.

Ping Identity joins nine other OpenID Foundation corporate board members including Booz Allen Hamilton, Facebook, Google, IBM, Microsoft, PayPal, VeriSign, Yahoo! and LexisNexis.

I’ve been moved by the devastation wrought by the Haitian earthquake. It’s simply impossible to fathom, with death toll estimates hitting 200,000. In comparison, the Indonesian tsunami of 2004 killed nearly 230,000 people — placing it fourth among the world’s deadliest earthquakes. To give some perspective to those numbers, the atom bomb dropped on Hiroshima in 1945 killed 80,000 people instantly. These are numbers that I simply can’t grasp.

And this disaster still unfolds, with scores pitching in — many turning to the social web and social media to facilitate or amplify their efforts.

One such effort is being lead by Project EPIC, a collection of information scientists, computer scientists and computational linguists at the University of Colorado at Boulder and the University of California, Irvine.

Their initiative, called Tweak the Tweet, provides a dictionary of hashtags for reporting on issues on the ground in Haiti and calling for aid. Here are templates for using their syntax:

I applaud their efforts and desire to help people communicate their status in a way that facilitates machine-processing. I worry, however, that this approach may limit its success.

Hashtags are metadata for humans first, machines second

The original need for hashtags came from the lack of any formal or public grouping mechanism in Twitter.

For example, when half of Silicon Valley went to SXSW and tweeted for days on end about this speaker or that panel, those who weren’t at the conference desperately wanted some way to filter out such noise. I proposed the hashmark (#) as a way of adding context to a tweet, so that people could choose for themselves to filter out or follow tweets tagged with certain keywords. In July last year, Twitter decided to hyperlink hashtags to their respective search results, and the format became widely adopted — more often than not used to game the trending topics on Twitter’s homepage.

Initially, most people thought hashtags were ugly and useless; even the folks at Twitter thought that they were unnecessary because they’d eventually develop natural language processing algorithms that would supersede the need manual tagging. Contrary to initial complaints about their complexity, hashtags become easier to understand and use with repeated exposure and practice because they are so transparent: if you see someone use a hashtag, you know how to use a hashtag.

And so three years later, hashtags still serve a role in helping people express themselves to each other.

Keep it simple, make it memorable

Language is inherently mutable; mathematics (the language of machines) is not. Verbal language can be adapted by a speaker, and what is heard (or read) is itself interpreted; the conversion is never digital, and invariably bears some loss of meaning.

But using hashtags to clarify meaning prioritizes the needs of the machine over the capabilities of the individual.

Such imposed order in a networked environment can succeed, but only if it achieves instant, widespread adoption, and is itself superficial (that is, it doesn’t require deep knowledge to understand or use the new order). In contrast, simpler, smaller and emergent structures tend to fare better over time, but developing them is not easy (see also: slashtags).

Successful structures should also aim for minimal cognitive burden — by being easy to remember and recall in practice. I’ve frequently seen people tweet about how they “forget to use hashtags” in posts — which is not surprising, since most people don’t think about the metadata of what they say. Hashtags and slashtags are most useful, therefore, when you want to provide additional context that is harder to express otherwise.

Learning from previous efforts

The Tweak the Tweet project introduces a “new order” for using Twitter. Though the words it calls out are mostly common, the use of the hashmark seems gratuitous, given the limited length of the medium (something that Stowe Boyd points out) and that the hashed words comprise the meat of the message, rather than the meta. To give you an example, this is Tweak-the-Tweet formatted post (77 characters):

#haiti #offering #volunteers #translators #loc Florida #contact @FranceGlobal

The same message could be reformatted to be human-readable without any loss of meaning (72 characters):

Offering volunteer translators in Florida. Contact @FranceGlobal. #haiti

While the message may not be as machine-friendly, it may reach a wider (human) audience available to respond to this offer.

Now, I don’t want to dismiss this effort, but instead provide a word of caution on focus. Tweak the Tweet is not the first hashtag pidgin language I’ve seen — and previous efforts struggled to gain adoption and awareness. Perhaps by minimizing the metadata and maximizing the meat, the effort poured into this might achieve a greater effect.

Paving the cowpaths and bulldozing fields

#sandiegofire

Hashtags may never have taken off if it weren’t for Nate Ritter tweeting about the San Diego forest fire in 2007. In fact, his use of the hashtag was the first dedicated use of a hashtag to help coordinate a response to a natural disaster:

What’s important about his use of hashtags in this case was that he was using them to communicate critical information to people in natural language. His use of the hashtag provided additional context to his followers who weren’t in San Diego, and also modeled a behavior that others could easily emulate when reporting their own news.

When I proposed using #sandiegofire as the hashtag for Nate to use, I first looked at what people were already using the tag their photos of the event on Flickr. At the time, the sandiegofire was one of the trending tags, and that’s how I chose it:

Had I tried to come up with my own new phrase for the event, Nate’s use of the tag may not have been picked up. #sandiegofire was also better than the alternatives, which were more localized and therefore more obscure to the broader audience. Using “SanDiego” in the tag itself helped bring clarity and context to Nate’s tweets.

Using hashtags effectively means considering the audience and their familiarity with the issue being tweeted about. While tagging lets you be as esoteric as you want, it may limit the reach of your effort, whereas paving the cowpaths means that you build on the familiar and connect with what people already know, reducing friction and inviting contribution.

iList with #ihave and #iwant

iList is an interesting service that originally aimed to take on eBay and Craigslist by leveraging social media. More recently they decided to narrow their efforts to focus on hashtag-based listings and Twitter search. Nonetheless, what I think is interesting about their approach is that it is, on the surface, quite simple.

To use the service, you just tag your tweet with #ihave or #iwant. If you want to get more detailed, you can add your zip code or categories like #forsale or #electronics. But the core service relies on using just two tags which seem to be have moderate usage — proving that getting adoption is always the hard part of any metadata-based communication strategy.

Twitter Vote Report#votereport

The last example is very similar to Tweak the Tweet and was launched by some friends of mine. The Twitter Vote Report project was designed to enable citizens to report on their local voting situation by using a series of hashtags:

• #[zip code] to indicate the zip code where you’re voting; ex., “#12345?
• L:[address or city] to drill down to your exact location; ex. “L:1600 Pennsylvania Avenue DC”
• #machine for machine problems; ex., “#machine broken, using prov. ballot”
• #reg for registration troubles; ex., “#reg I wasn’t on the rolls”
• #wait:[minutes] for long lines; ex., “#wait:120 and I’m coming back later”
• #early if you’re voting before November 4th
• #good or #bad to give a quick sense of your overall experience
• #EP[your state] if you have a serious problem and need help from the Election Protection coalition; ex., #EPOH

All tags were optional except the #votereport tag.

They also went through painstaking effort to mobilize people and provide alternative means to participate. They also did a good deal of work to report back their findings in real time (most visualizations appear to be offline) and open sourced their codebase.

They also made sure to make it possible to participate without using Twitter — the hashtags were just a mechanism for getting data into the system.

Design for adoption, stay focused

Around the time it launched, Ethan Zuckerman expressed skepticism about whether Twitter was the appropriate tool for the vote report project, in much the same way I’m wondering whether Tweak the Tweet could take a more focused approach in exchange for wider participation to achieve its goals.

My greatest concern is that there won’t be enough people who can “speak” the “tweaked” syntax, leading to a lot of effort spent building parsers that will be data-starved. While trained volunteers might be able to use this syntax effectively, I wonder if there aren’t alternative approaches that could use the existing corpus of text messages and tweets coming out of Haiti (which probably aren’t geo-coded, unfortunately) to discern the typing patterns that people use naturally in order to facilitate adoption? Perhaps by focusing on fewer tags that are self-evident in their meaning and use, it is possible that this effort could be used to model the proper usage of the tags, making a more direct difference while there’s still time? Unless the audience of this effort is expert users, I’d suggest steering towards simplicity and ease of adoption — and being mindful that typing out a complicated machine-friendly syntax might be the last thing on someone’s mind who’s trying to find or offer help in such a disaster.

Chris Messina thinks the OpenID brand should come to mean a package of a number of related “Open Stack” technologies, called OpenID Connect, and start to compete with Facebook Connect.

Dare Obasanjo disagrees: he thinks we only need an OpenID Connect if there were multiple incompatible implementations of Facebook Connect-like products from multiple players, to standardize best practice.

Who is right?

Both, I think. They represent two different points of view that I both sympathize with. I like the first better but the second one might be more realistic. I only realized this a few months ago, this is as good a time as any to attempt to explain this:

First I have to make a detour: OpenID (and related “Open Stack” technologies) are fundamentally interoperability standards. If I have a website and you have a website, OpenID enables our mutual customers to do something interesting by “connecting” some pieces of my website to your website. Take authentication performed on my website to your website, for example. Move data, etc. It’s important to realize OpenID doesn’t do anything that can’t be done already by a site by itself, or within a tightly coupled federation of sites. Instead, OpenID is about interoperability between sites managed by different entities that only agree on the OpenID interoperability specification.

How do successful interoperability standards come into being, and how do they continue to evolve?

I’m not a technology historian, but it appears to me that they usually emerge after several companies have implemented similar, proprietary ways of interoperating, and the potential adopters of such proprietary specifications revolted saying something to the effect of “we can’t afford implementing half a dozen different ways of interoperating with you guys, we need to have one way for the whole industry.”

I think that is essentially Dare’s point. He’s asking where everybody else’s (MySpace, Google, etc.) products are that are like Facebook Connect, and finds very little. His conclusion: this is not the right time for an OpenID Connect.

Chris’ point comes from a different perspective, which is: let’s make the web a better place, and collaboratively design a set of new capabilities that help us all. I understand that perspective very well, because I, like many others, was preaching that perspective ever since I got into that digital identity business in the first place. The trouble is: it’s like molasses, and nothing much ever happens. So far, that has been true about an OpenID Connect, too, for which people like Chris and myself have been asking for for at least a year or more.

I wonder what the newly expanded board of the OpenID Foundation thinks of it. There are enough new faces, in particular from non-technology-platform companies on it that the dynamics may be different. Looking forward to seeing what comes to pass or does not.

There’s an excellent thread going on among the MyDex team about the accelerating shift towards cloud computing and what this means for the individual. I strongly recommended to them Nicolas Carr’s The Big Switch for a discussion of this very subject.

Arguably, we as individuals need the cloud even more than companies do. On the whole, we have less ability to maintain our own “individual piece of the cloud” than a company does. We have neither the capital, the expertise, nor the ability to persist across major changes (all but the very smallest company can persist when an employee leaves or dies, but when an individual person dies, their world of information disintegrates very quickly).

Google and other cloud-based service providers have recognized this. Given the proper safeguards* (see huge asterisk below), the advantages to individuals maintaining their personal data store of all their personal data assets at one or more cloud service providers are enormous. The latest example: watch the migration taking place from Intuit’s venerable Quicken franchise of desktop personal money management to the cloud-based equivalent at Mint.com.

Mint.com’s advantages are so compelling – all your data is automatically backed up, automatically accessible from any Web-connected device, automatically updated from any of your (supported) financial accounts, automatically able to send you important alerts and reminders – that it makes desktop money management look as antiquated as 5-1/4 inch floppy disks. (Remember, there was a time when 5-1/4 inch floppy disks were manna from heaven.)

If you need any further proof of this paradigm shift, Mint.com was acquired by Intuit last September.

I think we’ve seen only the very start of this paradigm shift of migration of personal data and personal data services to the cloud. And I don’t believe it will be take than a year or two until it becomes the norm. Check back here in January 2012 and let’s see where we are.

*HUGE ASTERISK: I don’t mean for one second to gloss over the topic of the safety (umbrella term for security, privacy, and control) of personal data in the cloud. I spend a good part of my day job as Executive Director of the Information Card Foundation on this topic, and it is the entire premise of emerging VRM service providers like MyDex. It is so deep and rich of a topic that I believe before long it will result in a whole new branch of the law.

Yesterday was my last day at Microsoft. You can read more at Dick Hardt dot org.

Now that I am not constrained by Microsoft policies, I plan on writing about a variety of topics that have been bubbling in my head for the past year. OpenID v Next, Company Culture, Online Privacy etc.

As for this site, the “2.0″ branding seems so last decade now. I will be putting this identity into stasis and doing all my new writing at Dick Hardt dot org, where I will discuss how digital identity is becoming reality.

Facebook’s Online Identity War quotes me and labels IIW an advocacy group. IT IS AN INDUSTRY FORUM. Douglas MacMillan.

Sorry but I am still learning “how” to talk to reporters. They don’t like to quote me as “the identity woman” and link to my blog.

I “do” run the Identity Workshop with Phil and Doc but that doesn’t make it an “advocacy group”

Identity Commons & IIW have a purpose and principles believing in user/centric identity. The power of individuals to manage and control their own identities online. We don’t “advocate” for them – we create a convening space for people who want to work on this ideal.

Facebook does on some level “agree” with the idea of user-centric identity – Luke Shepard has participated in the community for quite a while & they hired David Recordon. They sponsor IIW.

I am clear that the opening up of previously controlled information with no warning “jives” with my understanding of user-centric control. It was more from my own point of view I was commenting. That is with my “identity woman” hat on… and the values I carry from Planetwork and the ASN… but the press hates that. Uggg. Chris Messina gets to be an “open web advocate”… that is what I do to but just about identity “open Identity advocate” (mmm…) but then that sounds like “just” OpenID and it isn’t just about that one particular protocol. sigh.

I am still wondering – How does one “belong” and have “titles” in a way the media can GROK when one does not have a formal position in a formal organization.

sigh – identity issues.

Related posts:

1. At Burton Group Catalyst! Exciting week ahead.
2. International Telecommunications Union Focus Group on Identity Management
3. Identity Gang now a group in Second Life

I have another post up on ReadWriteWeb that went up just after Christmas covering people who are choosing to leave Facebook or considering doing so along with the tools to help them.

Fed Up with Facebook Privacy Issues? Here is how to End it All.

It highlights two different Web 2.0 suicide machines; one is an art project called Seppukoo.com .

The service creates a virtual memorial for you and posts you on a suicide wall & they give you points for how many friends you had and how many of them choose to follow you to the “after life”. The leader board is here.  You can see the RIP page for one of the creators of the service - Gionatan Quintini here.

It received a cease and desist from Facebook and responded.

The response is not covered in the article (it wasn’t out when I wrote it). It has some great quotes that sound like language coming from the user-centric identity community.

5. My clients have the right to receive information, ideas, and photographs from those people whom are the legitimate proprietors of this data and can decide to share this data or to store it, with the prior consent of its respective owners. All of this is freedom of expression and the manifestation of thought and free circulation of ideas that is accepted and guaranteed in Europe and in the U.S.A.

6. Facebook cannot order the erasure of data that does not belong to it, acting against the free will of the owners of such data. This is not protection of privacy, but rather a violation of the free will of citizens that can decide freely and for themselves how to arrange their personal sphere.

Web 2.0 Suicide Machine is more comprehensive – covering LinkedIn & Twitter as well.

Here is the previous Read Write Web post on the changes in what is and is not public.

Related posts:

1. Other negative Cybermobs: Live Suicide
2. The Facebook Borg are coming.
3. Facebook SocialAd’s & Privacy

ReadWriteWeb has coverage of Zuckerberg’s talk with Arrington at the Crunchies. According to him, the age of Privacy is Over. This is the quote that is just STUNNING:

..we decided that these would be the social norms now and we just went for it.

When I first heard it in the interview in the video I did a major double take – “we decided” ?? seriously? The we in that sentence is Facebook and clearly with Zuckerburg is at the helm – He could have said “I decided” and he as the CEO of a social network has the power to “decide” the fate of the privately shared amongst friends in the context of this particular social network for millions of people (see my post about the privacy move violating the contract with users). It makes you wonder if this one platform has too much power and in this example makes the case for a distributed social network where people have their own autonomy to share their information on their own terms and not trust that the company running a platform will not expose their information.

It is clear that Zuckerberg and his team don’t get social norms and how they work – people create social norms with their usage and practices in social space (both online and off).

It is “possible” to change what is available publicly and there for making it normal by flipping a switch and making things that were private public for millions of people, but it is unethical and undermines the trust people have in the network.

I will agree there is an emerging norm that young men working building tools in Silicon Valley have a social norm of “being public about everything”, but they are not everyone. I am looking forward to seeing social tools developed by women and actual community organizers rather then just techno geeks.

I will have more to say on this later this week – I was quite busy Saturday – I ran the Community Leadership Summit, yesterday I flew to DC and today I am running the Open Government Directive Workshop. While I am here I hope to meet with folks about Identity in DC over the next 2 days.

Related posts:

1. Facebook Changing Privacy Settings
2. Facebook Privacy Changes leave us “Socially Nude”
3. Privacy Commissioner of Canada opens CFP

I was one of the first people to congratulate Chris Messina on his blog when he announced he was going to Google. It was a personal congratulations. I wasn’t sure if it was good overall for the open web vision or the community as a whole. In the end after thinking about it for a few days I feel it is a good move for them, for Google and for the community. The rest of this post explains why.

With Chris going to Google it gives them three seats on the OpenID board (Joseph and Chris are both community board members and Google has a corporate paying board member seat filled by Eric Sachs). It concentrates a lot of power at Google and I agree with Eran’s concerns from Marshall’s RWW/NYTimes article …why be “open” if you can just have an internal product meeting with Brad Fitzpatrick and a few other Googlers and “ship” a product without reaching out to others. I agree with the concern and I think there will be enough eyes on these individuals in particular and Google in particular to challenge them if they do that.

Thursday morning I sat at “geek breakfast” in Berkeley with a friend discussing Chris and Joseph’s move to Google. We mused about how many people we knew who “get social” have been at Google and because “Google didn’t get social” they were unhappy so they left, Kevin Marks being just the latest example leaving in the fall for British Telecom/Ribbit where he works for JP Rangaswami, the CIO who really gets open.
Given this, if “just” Joseph Smarr was going to Google he would be more “alone” trying to “do social right” at Google. Yes, he would have allies but no one quite as high profile as himself. With Chris Messina there too, there are now two major committed community leaders who can work the politics involved in helping Google to “get” social and actually do it right. If anyone has a hope inside that big company it is those two and I don’t think either could be as effective alone.
If Chris and Joseph fail, that is if they get frustrated and leave (which they can at any time they want cause they are very “employable” because of their profiles by a whole range of companies in the valley) then is a sign that Google doesn’t really “get” social and isn’t moving in the right direction in terms of supporting the emergence of an open standards based, individually empowering & social web.
With Zuckerberg’s statement’s about privacy and the recent actions by Facebook to make user-information public, Google has a huge opportunity to live up to its slogan of “not doing evil”. Over the fall Google made some promising statements on the meaning of open and took action spinning up the Data Liberation Front.
I know many people who currently are and have been at Google. All of them talk about how secure things are internally – it is not possible to go into their systems and “look up a user” and poke around at what they have in their e-mail, or what they have searched on or what is in their google docs. Algorithms look at people’s stuff there, not people. Google takes their brand and reputation for protecting people’s private information seriously. I am not particularly starry eyed about Google thinking they can do no evil – they are just a company driven by the need to make a profit. I worry that they might be becoming too dominant in some aspects of the web and that there are legitimate concerns about the monopoly power they have in certain market area.
I don’t see this as a Google vs. Facebook fight either. Chris, Brad, Eric, Joseph are all at Google & David Recordon and Luke at Facebook; they are all good friends socially and are just six people in the overall identity community made up of about 1000 people at 100’s of companies. Yahoo!, AOL, Microsoft (enterprise & MSN side), are all involved along with PayPal, Amazon, BT, Orange, Mozilla, Sun, Equifax, Apple, Axiom, Oracle, & many many more. They all come together twice a year at the Internet Identity Workshops and other events to collaborate on innovating open standards for identity on the social web.
I invite those who want to participate in the dialogue to consider attending the 10th Internet Identity Worskshop May 18-20.

I take the health of the identity community, its over all tone and balance quite seriously. I helped foster it from the beginning really starring in March of 2004 including 9 months from June of that year until January 2005 it was my first major job – evangelizing user-centric identity and growing the community to tackle solving this enormous problem (an identity and social layer of the web for people). I along with others like Doc Searls, Phil Windley, Drummond Reed, Bill Washburn, Mary Ruddy, Mary Rundle, Paul Trevithick, Dick Hardt, Eugene Kim & many others formed the identity community. Having put my heart, soul, sweat and tears into this community and working towards good results for people & the web, I don’t say what I say in this post lightly.

Related posts:

1. Chris & Chris on Data Portability
2. Community Contexts and Weaving Social Web
3. Chris hasn’t blogged either

Seems PG&E is installing smart meters for electricity and gas in our neighborhood. They use some kind of mesh networking.

Anybody know how they might be secured?

According to Facebook founder Mark Zuckerberg, yes. See the video with your own eyes and read the ReadWriteWeb analysis of the interview he did with TechCrunch’s Michael Arrington.

Is the age of privacy really over, or does Mark Zuckerberg just want it to be over?

Myself, I don’t think so. Istead what’s headed for extinction are companies that try to make their money by convincing people they need less privacy.

Watch this space – more coming on this topic coming soon.

Yes friends, I’m turning 29 and I’ve decided to go work for The Man.

In all actuality, I’ve been mulling over such a move for some time, considering a number of compelling opportunities for my next step. After reviewing my options — in light of the progress I’ve made so far and my familiarity and existing relationships with the new team at Google that I’ll be working with — I came to the conclusion that Google offers me the best possible opportunity to continue my work in an environment and culture that is compatible with my outlook, goals, and work habits.

I was trained as a designer, but I’ve been involved with the tech scene since I arrived in Silicon Valley just over five years ago. In some ways, technology has reshaped the way I approach and solve problems — forcing me to think in terms of adoption strategies first, rather than always trying to find the simplest, cleanest design, because of the disadvantaged position I occupied as a non-coder. I can see the consequences of these effects on my approaches first to OAuth, and then to Activity Streams, as well as with OpenID, with positive and negative results. In some ways I’ve had to temper my designer training and put technology first in order to grow an audience. But now I’m ready for new challenges that will expand my ideas and tactics, force me to attack problems from new perspectives, and dip into my design thinking repertoire to operate at a whole new level.

Though I consistently aim high, I want more success in turning my ideas into tangible outcomes, and in doing so, prove the power that I see in open, interoperable standards that can make the web a richer and more intricately spun space.

In some ways, I’m still just getting started with my work.  In joining Google, I see the chance to have a greater impact than I might otherwise on my own. That said, I won’t lose track of what intrinsically motivates me — that I’ve always been about spreading the benefits of the web by creating technology that  fosters innovation and choice. And there’s where I see alignment with what I’ve been doing, and what Google needs to succeed. In fact, my new title at Google? The same one I independently gave myself a year ago: “Open Web Advocate”.

In this role, I’ll still be an active community board member of the OpenID and Open Web Foundations; I hope to help push the Activity Streams project forward with a 1.0 release of the spec soon. And I’m still hopeful about the future of my our semi-neglected and half dormant Diso Project! I’ll also soon be publishing the results of my collaboration with Mozilla Labs, which will provide some insight into what social networking in the browser might look like, and how OpenID Connect might play a role in it.

For good measure, I should also point out that my good friend and colleague Joseph Smarr also made a similar decision recently  — unbeknownst to me at the time! —  and announced that he’ll be joining Google later this month as well.

So, net-net, I’m stoked to be joining The Man Google, and very thankful to have had as much support from the many, many people with whom I’ve connected through the synapses of the social web over these past several years. This is of course a very happy birthday present for me, and I’m eagerly anticipating what’s next for the open social web in 2010…! This can all still be made better. Ready? Begin.

Feel free to leave a comment here, or get in touch via email.

Update: here’s the latest theSocialWeb.tv episode where I make my announcement:

I recommend Doc’s new post that explains the essence of what’s behind VRM. It’s a big vision, his, but Doc has a way of framing the future that makes it look inevitable – all that remains is the question of “how close is it in the mirror”?

I’m betting that this object is closer than it appears.

Oh no, not another post on OpenID already, you might think. Well, the new year is only a few days old and there are already three posts and tweets respectively that got me thinking about it again. But if you don’t want to read about OpenID again, just ditch this post.

The Idea of OpenID Connect

Let’s start with Chris Messina’s proposal of OpenID Connect that got some attention in the blogosphere over the last few days. According to Chris OpenID Connect should be a concept similar to Facebook Connect and Twitter Connect:

OpenID Connect is a technology that lets you use an account that you already have to sign up, sign in, and bring your profile, contacts, data, and activities with you to any compatible site on the web.

For the more tekkie guys of you, OpenID Connect should leverage Activity Streams, Portable Contacts, and OAuth WRAP among others.

Sounds good? At long last, a product based on OpenID that could be marketed and is similar to its rival Facebook Connect? Maybe. But we could have that product for a long time already. Isn’t there an OpenID/OAuth Hybrid protocol? Isn’t it possible to perform discovery of a service catalogue containing contacts, photos, and much more via XRDS-Simple?

I cannot comment on the technical differences of both approaches or their shortcomings. I simply don’t know them and never really had a look at OAuth WRAP so far. I’m just a dumb enduser. But from what I can tell it was possible to build something similar to Facebook Connect that wasn’t a product but a combination of a few protocols that could work almost the same way. However, no one cared to think about a reference implementation and documented it. So at least Chris’s idea of OpenID Connect could start a new discussion – and actually much needed work – about establishing a product based on open standards. I just hope marketing efforts will follow.

Email Anyone?

Last night I spotted a tweet by Hutch Carpenter, a name which should be familiar to those involved with Enterprise 2.0. Hutch had a really simple request:

Yes, it is as simple as this: Hutch just wants an email transferred while signing up to a new service. Those of you familiar with OpenID know that it’s possible. There is the Simple Registration Extension (SREG) and there is Attribute Exchange (AX). Both protocol extensions allow transferring an email address – among other data – from the OpenID provider to the consuming website, the relying party. Though both parties – the provider and the relying party – need to support them. However this great feature is mostly unknown to even tech savvy guys like Hutch.

How come? Back in the days of the old OpenID version 1.1 most providers and relying parties supported SREG. Unfortunately, when big providers like Google and Yahoo! jumped on board of OpenID this fine extension got forgotten by most people, simply because the big vendors didn’t support it. When Yahoo! started supporting some SREG values in November 2008 it was applauded and reading some of the blog posts about it, it sounded like Yahoo! re-invented the wheel. Hey, the current SREG specification is final since June, 2006! Yes, since the summer of 2006. So no real invention in the winter of 2008.

Confusion about the OpenID Name

The next blog post suprised me a little bit and I thought the blogger was probably an exception for getting some aspects of OpenID wrong. Basically, she thought she had to pay $25 for getting an OpenID when visiting OpenID.net. As it turned out, she was confused with the membership fee of the OpenID Foundation. Actually, I thought this would never happen. But it did and what if she was not the only one as she pointed out in the comments? Also she already had an OpenID from MyOpenID but thought it was something different, just because of the name.

OpenID Needs Marketing

Those three examples show one thing: OpenID needs more marketing! Though any marketing needs a product. So OpenID Connect or whatever it will be called in the end is a step in the right direction. Marketing should be done by those who know their job: marketers. Not developers as is the case mostly these days.

Also it’s probably a good idea to get more in touch with big tech blogs like Techcrunch, Mashable, and Read Write Web. They have turned mostly into news sites that need a story to write about. They hardly do intense research, so no one can expect them to find out the subtle technical details of something like OpenID, its extensions and related protocols. So in the end OpenID might get better press and won’t look like the inferior identity protocol to Facebook Connect.

I could spend this entire week doing nothing but reading and posting about good post-holiday reading of recent blog posts. My theory is simple: over the holiday break, people (well, most people – not me this year) have time to take a breather and write down something that’s really been on their minds.

And because they are not rushed, they have time to condense and sharpen their thoughts, and the result is a rash of excellent blog posts.

A wonderful example is Will Norris’ post about identity and identifiers. He speaks from long experience (and he’s worked on several identity protocols, including OpenID and SAML, as part of the Shibboleth project).

Read it and weep (if you have a recyclable OpenID).

(Aside: Although, as Will’s article intimates, XRI architecture solves this problem at the structural level, the implementation of XRI across OpenID 2.0 sites and libraries is currently very uneven. So IMHO realistically a full solution to the recyclable identifier problem with OpenID is still another protocol generation away.)

I’ve been thinking about how we make OpenID both easier and sexier for quite a while now. As frustrating as the answer may be to technologists, the problem is not necessarily one that can be solved with more technology. Instead, at some point, you have to move beyond the original constituents of a solution and start to package up the thing in a way that is less alienating, and less “insider baseball”.

“OpenID Connect”, therefore, is what I’m starting to use in casual conversation as my answer to Twitter and Facebook Connect.

It’s really creative, I know. That’s why they pay me the big bucks.

Seriously though, from a marketing perspective — it’s what I want the OpenID Foundation (and our new board) to offer the world in 2010. Essentially I think it’s time we ditched the “Open Stack” concept and put something out there that can stand up in conversation alongside the likes of Facebook Connect, in all its rich and specific expressiveness.

At some point, I want OpenID Connect to be what Facebook and Google and others implement that becomes the interoperable identity interchange protocol for the social web. But we’re not quite there yet, though all the technology is on the verge of being… ready.

Speaking of, from a technical perspective — I’m really just talking about repackaging OpenID as a profile of OAuth WRAP (credit: Recordon). It would provide relying parties with profile data, relationships, access to content, and activity streams — based on Recordon’s anatomy of connect.

Unlike the current incarnation, it would work in real-time, distributed systems, on the desktop as well as in mobile devices. Huzzah!

We’re not even that far away from such a solution. Since OpenID really just bootstraps identity — we need a way to provide relying parties with all the other stuff they’ve come to expect from the Twitter and Facebook Connect APIs… and that’s where the “connect” in “OpenID Connect” comes in.

So, to summarize:

• for the non-tech, uninitiated audiences: OpenID Connect is a technology that lets you use an account that you already have to sign up, sign in, and bring your profile, contacts, data, and activities with you to any compatible site on the web.
• for techies: OpenID Connect is OpenID rewritten on top of OAuth WRAP using service discovery to advertise Portable Contacts, Activity Streams, and any other well known API endpoints, and a means to automatically bootstrap consumer registration and token issuance.

22 companies including NTT docomo, KDDI, Sony, NEC, etc. have formed “ID Platform Federation Forum”. With JPY12 billion (approx. US$1.3M) in funding from the Ministry of Internal Affairs and Communication, the forum members will initiate the experiment, based largely on OpenID, by the end of the year. The forum itself is operated by Nomura Research Institute (NRI).

Mobile content and commerce has flourished in Japan after the deployment of mobile browser communication for the mobile phones in Japan. As of 2008, it amounts to JPY1,352,400,000,000 (approx. US$15M) and showing 17% growth even under stagnant market conditions [1]. It has become so important that it is often said that a service will not be viable without mobile web support.

One of the key factors of its success has been attributed to the ability to identify the user reliably in the mobile carrier network. This characteristic combined with the micropayments provided by the mobile carriers enable a zero-hassle login and payment user experience. However, these features have only been available via mobile browser and not on the PC and other internet-connected devices. The forum aims to expand the success of the identification and payment service capability from the mobile arena into the wider internet, using OpenID as the underlying technology. The forum will provide insights on the implementation and recommendations obtained from the experiment back to the international community through bodies such as the OpenID Foundation. Currently, the forum expects the feedback to impact the Mobile Profile of OpenID, the Attribute schema, and Level of Protection of the Relying Parties.

Chairman
Prof. Aida, Tokyo University

Vice-chair
Prof. Morikawa, Tokyo University

Secretariat
Nomura Research Institute, Ltd.

Members
Access Co. Ltd.
KDDI Corporation
Nextwave Co. Ltd.
NEC Corporation
Nihon Unisys Ltd.
Nomura Research Institute, Ltd.
NTT Comunications
NTT docomo Inc.
Fujitsu
Hitachi Ltd.
Softbank BB Corp.
Sony Corporation
Willcom Inc.

in addition, there are observers.

[1] Source: Ministry of Internal Affaires and Communication (http://www.soumu.go.jp/menu_news/s-news/02ryutsu04_000016.html)

In response to the newly enacted “Fund Transfer and Payment Services Act of Japan”, the OpenID Foundation Japan has announced the formation of the “Payment Working Group (WG)” on December 8, 2009. The Payment WG consists of 14 member companies and aims to create whitepapers on ”Guidelines for Secure Management of Information”, “Guidelines for Outsourcing” and “Guidelines for Identity Verification and Authentication” as well as the best practice and profiling document for implementing fund transfer and payment service built on OpenID.

Currently, only depository financial institutions such as banks are allowed to provide fund transfer service. The situation is going to change by this act taking effect in 2010. After that time, anybody who complies with certain conditions can start providing funds transfer service. The aim of this WG is to promote OpenID as the foundation for such services by establishing industry backed recommendations on profiles of OpenID.

What’s the next decade going to be like in technology?

I found myself pondering this a lot recently. It seems we are in for very revolutionary changes … like the becoming irrelevance of the PC. Or the move to NoSQL. Or all web apps being connected to each other, with RSS/Atom and OpenID being the first steps. Vendors, products, architectures, market dynamics will all be a lot different than we are used to.

Clearly worth pondering, or writing about it. Which not many people do. So I just started a new blog at:

upon2020.com

My focus will be the next decade, through 2020, thus the name, which of course is also a word play.

I am taking the risk that I might be terribly wrong with anything I might predict. It might be terribly embarrassing. But then, I hope to have a thought now and then that might spark some discussion, which is really all one can hope with on a blog.

So, enjoy! And disagree, otherwise, how should we all learn?

This blog will continue as before.

It occurred to me last night — through simple arithmetic, really — that 40 years from now, we’ll be living in the year 2050.

I suppose that realization was just as potent as the high school realization that I’d be entering college one year before 2000, and that a decade after that (i.e. this year), we’d supposedly have made contact with aliens by now.

In any case, it got me thinking that, in all likelihood, I’m going to make it to 2050. I’ll be 69 years old, and imagine by then, will have much more perspective, knowledge, and wisdom than I have now.

Still though, life never ceases to amaze (as the expression goes) and so I’m curious what you think: picture yourself waking up 40 years from now and saying to yourself, “Y’know, in 2050, I never would have imagined…” and then complete the sentence.

You can either leave your response here, or tweet it with the tag #in2050.

I still remember when I made the conscious decision to go by the name “Will” instead of “William”. I was 11 or 12 years old, and we were moving from Irving, Texas, where we had lived the last 7 years or so, to Olive Branch, Mississippi.

I don’t honestly recall why I decided to go by a different name. Name changes are common throughout history to mark a new beginning in one’s life. In the Bible, Abram is given the name Abraham, Jacob is renamed Israel, and Saul of Tarsus becomes Paul the Apostle. Converts to Islam will often take on a new Islamic name, and it is common for monarchs and newly elected popes to take a regnal name when they inherit the throne. It is customary in many cultures to take the surname of a spouse, or a blending of the two surnames, when one is married. Perhaps at some level I wanted to mark this new beginning in my life. I was leaving behind everyone I knew, and would be starting fresh with school, with friends… with everything. Maybe I wanted a new name to represent this new part of my life. Or perhaps I was simply emulating my older brother Steven, who at the time had chosen to go by “Steve”.

My immediate family was pretty good about respecting my decision. My mom later told me that when they were picking names for my brother and me, they went through all the possible nicknames and made sure they would be okay with them. Occasionally my mom would slip and call me William, and I remember that I used to get really mad about that. I don’t think my grandparents ever stopped calling me William, but after a while I got over it.

Identity Online

I think that I really started giving thought to my online identity when I was in college at George Tech. When I was a student, we were all given a “GT Number”, which was simply an opaque username and email address. Mine was gte739u, and so my email address was gte739u@prism.gatech.edu. Everyone had these numbers, and we all got used to them. Papers and tests might have a place to put your name, but they always had a place to put your GT Number. We weren’t names, we were numbers… we were simply $student++. I’ve never been one for pseudonyms, maybe because I didn’t have any real issues with my name. Up until this point, I had always used variations of my name for accounts: wnorris, wjnorris, or wjn730 if nothing else was available. It was only when I no longer had that freedom to identify myself how I chose that I became aware of how important it was to me.

It wasn’t until my second or third semester that I was eligible to get an account in the College of Computing, which you got to choose yourself. I was quite happy when I could finally give out a decent school email address to people — wnorris@cc.gatech.edu. In a small way, I felt like Equality 7-2521 asserting his individuality, taking the name Prometheus.

When I began to realize the benefit of a personal homepage, I found that the domain willnorris.com was already registered, so I settled on wirewater.org instead. I thought it sounded cool and I liked the definition in the Jargon File. I used that as my personal homepage as well as my main email address for several years, until I was able to buy willnorris.com a few years later and switch everything over to that. I had used wirewater.org so much during those years that I decided to just keep it indefinitely. I don’t think I ever receive legitimate email on that account anymore, but it costs so little that I don’t really worry about it. There is a competitive market for registering “.org” domains, so I can be assured that the price will always remain at a reasonable rate. If I want to change my registrar for whatever reason, I can easily do so.

A(nother) New Identity

In 2007, a new service called FreeYourID was launched by GNR and Janrain. For $11 a year, you could get a third-level .name domain of the form firstname.lastname.name. They would also forward email sent to firstname@lastname.name, and later added a few other identity related services like XFN links and redirects to your social network profiles. The most exciting part of all this was that every FreeYourID domain was automatically an OpenID, backed by MyOpenID. It was a great example of putting individuals in control of their identity online, and how OpenID delegation fit into that picture. Seeing the potential for this, I grabbed will.norris.name on the very first day. It wasn’t long before I started using this new URL as my primary identifier online. I still had willnorris.com and continued to use it as a blog, but will.norris.name became my “identity site”. It was a simple landing page that had contact information and links to my profiles on various services. Later I added an activity stream, and XFN links to friends and colleagues. More importantly though, I used it as my primary OpenID on any services that supported it.

About a year and half (and hundreds of OpenID logins) later, I decided that I didn’t want to maintain two sites. I polled my friends, and decided to migrate away from will.norris.name. It was a very manual process of updating my various online profiles, and presented even more challenges with OpenID. But like my transition from wirewater.org I had done several years earlier, I didn’t worry too much about because the extra domain wasn’t really costing me that much.

That all changed this year when it was announced that FreeYourID was shutting down after just two years of operation, and that all accounts would be transitioned over to Key-Systems GmbH. Never mind the fact that the new site to manage your registration is absolutely terrible, the cost for renewal was also raised to 23.39 € (about $35). And unlike my previous .org registration, hours of searching and phone calls have not revealed any way to transfer a third-level .name to a different registrar (in fact, most registrars won’t even transfer second-level .name domains). My domain was scheduled to expire in a few weeks, and I would have liked to just let it go so I don’t have to spend the $35, but there’s a little problem…

OpenID and Reusable Identifiers

I started the process of updating my OpenID on sites a year ago, but I’ve still identified three relying parties that do not support changing your OpenID (at least not that I can find): Disqus, Clickpass, and Pibb. I’m certain there are many more, but these are the only ones that I know I have accounts with, and are currently set to use will.norris.name. So if I let my domain expire, and someone else buys it, they can immediately login to my account at these three services. This is the way OpenID is designed to work… whoever controls the domain is able to authenticate as that URL. So what does this mean for me? Quite simply, it means that if I want to make sure that no one else is able to access my account on any of these three services, I’m forced to pay $35 to renew a domain I don’t use and don’t want.

Who’s to blame for this? Well, I could blame Key-Systems for tripling the price of .name accounts when they took over the FreeYourId service. I could blame myself for having bought the domain in the first place, instead of just sticking with the .com I already had. I could blame the services listed above for not supporting OpenID changes on accounts. And I could blame the OpenID protocol itself for keying on reusable identifiers, instead of using those as aliases to unique, non-reusable identifiers like XRI has been architected to do from the very beginning. All of these would be fair parties to place the blame on, but this post isn’t about placing blame. Instead, this post is about getting the technologists developing and deploying this stuff to start thinking through the entire account lifecycle.

Identifiers Change

We’re living in a world where the identifiers we use to refer to people online are more important than ever. From IRC nicks to email addresses to Twitter handles. These monikers are typically all that identifies us within a particular service context, and sometimes between contexts. This is particularly true of Twitter handles, which in recent years have come to be seen by some as the de facto namespace for people. I was more than a little upset when my former employer (a company focused on OpenID, no less) linked to my Twitter profile instead of my personal homepage when they announced my hiring. And again this year at WordCamp Portland, it was disheartening to discover that the attendee name badges had a place for your Twitter handle, but not for your blog URL. At a WordCamp! The emphasis on our identifiers on these services makes it increasingly difficult to change your identifier without breaking things. But the fact is, identifiers do change. As our online and offline worlds collide, more and more people are moving away from pseudonyms toward using real identities online (something Facebook had the forethought to require from the very beginning). While this is of course a personal decision, it’s one that Chris Messina recently undertook. Similarly, Tom Coates and Ben Metcalfe, two individuals who understand online identity and social media very well, have considered doing the same.

I guess my point is just this. Identity is important. And identifiers change. So we need to be ready for that as we continue to build the “social web”.

The voting results are in for the 2010 Board.  In addition to a strong group of returning members, we’re glad to see four new members who will bring tremendous value and new perspectives.

Morgan Stanley has published a very detailed report on the state of the mobile internet. Best of all, for free. (How did that happen? But then, I’m not complaining …)

Out of the hundreds of slides, I’m quoting two which speak for themselves. Notice that ARPU is going down at the same time many markets are saturating and new competitors show up. Be afraid, carriers, be very afraid.

This entire fall has been intense with work, thus the paucity of posts here. The holidays brings a welcome respite and a chance to catch up with a few key mental threads.

One of them is the growing awareness of the need for what the VRM community calls personal data stores (PDS). The concept is relatively simple: an online store for your own personal data — anything from classic PII (personally identifiable information), such as your identity and contact data, to any other data that you generate or control (files, blog posts, pictures, papers, music, videos, etc.)

Three things have surprised me about PDS:

1. How generally accepted the notion is by almost anyone who spends much time online, even folks well outside the identity community. It’s a relatively intuitive idea as soon as you understand the basic premise that individual people should have their own data source online.
2. How many names have been applied to the same general concept. As I indicated, PDS is only the term applied by the VRM community. The same general concept has been called probably a dozen other names. Here’s an excellent blog post by Mark Dixon that calls it a Personal Identity-Persona Service and a Security Identity Bank Vault.
3. How hard it is to implement. Though there have been several attempts, such as the Mine! Project, nothing has come remotely close to catching on yet.

I have several theses as to why this is so (and yes, the need for a Internet data sharing standard like XDI is high on the list), but I’ll save those for another blog post.

Here, I’ll just conclude with a simple prediction: it’s a threshold problem. Once the first practical solution for PDS starts to take hold, it will catch on and grow just like the first social networks did. The only question is what application will provide that initial traction.

One of the decisions that has to be made, or at least considered, early in the design of any software project is identifying your target audience. This is especially true of libraries that are designed to be integrated into other applications. Who do you expect to be using this library, and how do you expect them to make use of it? Is it something like log4j that can be dropped into place and used with just a few lines of additional code? Or is it something that is intended to be integrated into a larger system, requiring the developer using the library to provide additional logic and business rules to get things working? Something that might require a non-trivial amount of effort, depending on the needs of the use-case. There is no right or wrong answer, and oftentimes it’s somewhere in between, but it’s something that must be considered.

Some of the best software libraries I’ve used address both ends of the spectrum. There’s a common adage in software development (and I’m sure it goes back farther than that): “make the common things easy, and the hard things possible”. First, you don’t want to make things any harder than necessary for the majority of users that are just using the basic functionality of a library. If they don’t care about customizing and tweaking every little aspect of it, then the way they interact with the library should be relatively simple and straightforward. But for those users that have unique needs, the library should allow them to configure it in such a way to accommodate that. It is certainly my goal to address both extremes in the Shibboleth OpenID library, but it will happen in phases.

The first phase will address the edge-cases, those users of the library that tend to have unique needs and requirements. That may seem backwards, but I assure you it isn’t. First of all, the really practical reason for starting here is that Shibboleth is itself an edge case. The reason I chose not to use the existing Java OpenID libraries in the first place was that they didn’t adequately conform to the way Shibboleth needed them to work. But from a design perspective, I’ve found that this approach tends to yield better results anyway.

Small Pieces Loosely Coupled

I’ve learned that in order to make a system really flexible and modular, it’s best to architect it that way from the very beginning. You have to decide where the logical divisions of labor are within the system, and then translate that into the code itself. Each component should be relatively self-contained, it’s purpose should be clear, and its interface (the way it interacts with other components) should be separated from its actual implementation. Sometimes these components are obvious, and there are clear places where the code should be divided. But more often than not, its a judgement call. Architecture is often harder than actual construction, whether you’re talking about software or brick and mortar. It requires a lot of creativity because you’re often working from a blank canvas, but it also requires that your plans are grounded in what is actually possible. Architectural plans are worthless if they can’t actually be implemented in the real world in a practical way. By no means do I think that I’ve found the best architecture for this library, because it’s always subjective. Fortunately, I’ve had similar libraries that I’ve borrowed from heavily for inspiration, as well as much smarter developers that I work with to bounce ideas off of.

At its core, this library is an OpenID messaging library. It is capable of converting between generic HTTP messages and strongly typed OpenID objects that developers can work with. My last two posts have talked about this in detail. The library also provides the additional logic for implementing the OpenID specification, things like Diffie Hellman key exchange and OpenID message signing. What the library does not do is tell you how you must compose these pieces into a working system. That’s because there isn’t just one way to do it. It greatly depends on the application that is wanting to add OpenID support. If you’re using a Java framework like Tapestry or JSF, perhaps you have other processing that happens to the message before the OpenID library gets involved. How does the user get authenticated and where do the user attributes come from? I have no idea… that’s up to your application to decide. At this level, the library makes no assumptions (or at least as few as possible) about how all of these small pieces should be coupled together.

If this sounds like a lot of work left up to the user just for something as simple as OpenID, you’re right… it is a lot of work. But when you really need that level of control, it’s important that the library support that.

Addressing the Common Case

So what about everyone else, all the “mere mortals” who don’t need that much control, and just want to add OpenID support to some application using the default configuration? At a high level, I’d love to have a Servlet Filter that you can drop in front of your application, configure a few small things, and have it just work as an OpenID relying party. I’ve always been a huge fan of the Tapestry framework, so I’d love to have a Tapestry component that can be dropped in just as easily. All of these things are possible by building a layer that sits on top of those individual components in the library, and arranges them in a prescribed way.

Now, I don’t anticipate that a drop-in Servlet Filter will ever be a part of the core library, because I don’t think it belongs there. It would be a separate deliverable unto itself that simply relies on the library to do all of OpenID work. This also means that the Filter wouldn’t necessarily need to come from me, anyone could write it and make it available. I don’t imagine that the core library itself will ever have everything that the “common case” users will need. And I’m okay with that, because I’m not building an OpenID product, I’m building an OpenID library.

Current Status

This is by no means a complete picture of the Shibboleth OpenID library, but it should give you a rough idea. It identifies some of the larger components of the libraries, and some of the interdependencies.

The orange blocks are pieces that are basically complete and present in the current library. All of the message handling is complete for OpenID 2.0 message, as well as three of the most popular message extensions (SReg, AX, and PAPE). Additionally, association management is done, and a very simple AssociationStore is provided (though it needs a little improvement). The security layer is complete insofar as signing and verifying signed messages. The yellow blocks represent pieces that are not yet complete, but will be included in the core library in the future. The discovery component is still up in the air a little bit because it’s not completely clear if we’ll be using XRD, XRDS, or both. The portions of the security layer that depend on discovery are, of course, waiting on the completion of the discovery stack. Those pieces include everything that an application would need to construct an OpenID provider or relying party. They implement the full OpenID protocol.

But those components alone leave a lot to be filled in by the application using the library. It says nothing about how an incoming HttpServletRequest object is converted into an OpenID Message. The application would be responsible for instantiating the specific objects and wiring them together to actually get a working AssociationManager. And for applications that wish to have control over these specific aspects of an OpenID flow, this is a good thing. The next layer up on the stack however, the yellow “Managers” block, will provide simple Manager objects that wire things together in a prescribed way. Most users of the library will deal with the Manager layer, and probably nothing else. Only when they have specific needs will it be necessary to dig any deeper.

Now this last layer is actually nothing special… it’s a very common pattern, and both OpenID4Java and Joid work in very similar ways. I point it out only to note that while this layer will be part of the core library in a future release, it isn’t right now. Much of the code that will likely make up these components has already been written, but in the form of the Shibboleth IdP extension. For the last few months I’ve been simultaneously building both a generic OpenID library, as well as an actual product that makes use of the library. One of the tougher ongoing challenges while doing this is in deciding which of the two projects a particular bit of code goes into. Much of the time it’s clear, but when in doubt, I’ll put something into the Shibboleth extension rather than the library. If anything, I want to err on the side of keeping the library “pure” so to speak. To not accidentally bake any assumptions into the library itself that might limit its flexibility. One of my focuses after the holidays will be in identifying which pieces need to be refactored from the Shibboleth extension back into the core library in order to build out that management layer.

(And in case it’s not clear, the final layer in grey in the stack above are other pieces that will make use of the OpenID library, but will likely not be part of the library itself.)

The new design brings in a slew of new features to their blog with the most important being a “usable” commenting system courtesy of Disqus. That means you can use your Twitter or OpenID login to comment on their site.

I went to the suidicemachine and got this message

We apologize to all our users for the breakdown of our service! Within the last hours the huge demand for 2.0 suicides completely overblew our bandwidth resources!

We are currently considering relocating to another serverfarm. Please consider suicide at a later moment and accept our apologies!

You can still try to catch a free slot, but chances are quiet low at the moment!

More from their site….

Faster, Safer, Smarter, Better Tired of your Social Network?

Liberate your newbie friends with a Web2.0 suicide! This machine lets you delete all your energy sucking social-networking profiles, kill your fake virtual friends, and completely do away with your Web2.0 alterego. The machine is just a metaphor for the website which moddr_ is hosting; the belly of the beast where the web2.0 suicide scripts are maintained. Our services currently runs with facebook.com, myspace.com and LinkedIn.com! Commit NOW!

You can even see video’s about what happens as one uses the machine.

ok the FAQ’s get eve better…..

I always get the message “Sorry, Machine is currently busy with killing someone else?”. What does this mean?
Our server can only handle a certain amount of suicide scripts running at the same time. Please consider your suicide attempt at a later moment! We are very sorry for the inconvenience and working on expanding our resources.

If I kill my online friends, does it mean they’re also dead in real life?
No!   

What do I need to commit suicide with the Web 2.0 Suicide Machine?
A standard webbrowser with Adobe flashplugin and javascript enabled. So, it runs on Windows, Linux and Mac with most of browsers available.   

I can’t see my friends being killed, what happened?
Probably your flash-plugin is older than version 10? But yikes – you cannot stop the process anymore! Once you entered the login details, the machine is running the suicide script.   

If I start killing my 2.0-self, can I stop the process?
No!   

If I start killing my 2.0-self, can YOU stop the process?
No!   

What shall I do after I’ve killed myself with the web2.0 suicide machine?
Try calling some friends, talk a walk in a park or buy a bottle of wine and start enjoying your real life again. Some Social Suiciders reported that their life has improved by an approximate average of 25%. Don’t worry, if you feel empty right after you committed suicide. This is a normal reaction which will slowly fade away within the first 24-72 hours.

Do you store any data on your webserver, like password of the user?
We don’t store your password on our server! Seriously, it goes directly into /dev/null, which is equal to nirvana! We only save your profile picture, your name and your last words! Will the 2.0 suicide machine be available for other networks such as twitter and plaxo? We are currently working on improving our products!. Currently we are working on Flickr and Hyves, but of course we are eagerly thinking of ways to get rid of our “Google Lifes”.   

How does it work technically?
The machine consists of a tweaked Linux server running apache2 with python module. Selenium RC Control is used to automatically launch and kill browser sessions. This all driven by a single python/cgi script with some additional self-written libraries. ?Each user can watch her suicide action in real-time via a VNC remote desktop session, displayed on our website via an flash applet rendered live into the client’s webbrowser. We are also running some customized bash scripts plus MySQL in the background for logging and debugging, jquery for the website and a modified version of the great FlashlightVNC application built in Flex. Web2.0 Suicide Machine consists of roughly 1800 lines of self-written code.   

Why do we think the web2.0 suicide machine is not unethical?
Everyone should have the right to disconnect. Seamless connectivity and rich social experience offered by web2.0 companies are the very antithesis of human freedom. Users are entraped in a high resolution panoptic prison without walls, accessible from anywhere in the world. We do have an healthy amount of paranoia to think that everyone should have the right to quit her 2.0-ified life by the help of automatized machines. Facebook and Co. are going to hold all your informations and pictures on their servers forever! We still hope that by removing your contact details and friend connections your data is being cached out from their servers. This can happen after days, weeks, months or even years. Just deactivating the account is thus not enough! [emphasis mine]

How much does it cost to kill myself?
Usage of Web 2.0 Suicide machine is for free.   

Can I build my own suicide machine?
Theoretically yes! You’ll need a Linux WebServer (apache2) with perl and python modules (php should be installed as well). Further, you’ll need VNC-server and Java packages by Sun to launch selenium-remote applets. If you feel like contributing or setting up your own machine, please get in contact with us via email.

Related posts:

1. Death in first person shooter games
2. Other negative Cybermobs: Live Suicide
3. Suicide Options for Facebook, LinkedIn and Twitter

It was at the end of 2004 when I decided to start telling the world about this silly little idea I had had about a year before: give every person on the internet a URL that they could use to identify themselves to any website. Fully decentralized, no permission needed from anybody, under control of the user and so simple to implement and host, it could literally be everywhere.

This week the OpenID Foundation announced that now, exactly 5 years later, more than one billion identity URLs (now called OpenIDs) are operational on the internet. Not bad, I’d say. From 1 to a billion makes a compound annual growth rate of something like 6300%, over five years.

Time to compare the original vision with what it turned out to be. Well, some salient aspects of it anyway:

I did not run for the OpenID Foundation’s Board of Directors this year. I think I’m done there: I’m more of an inventor and innovator and entrepreneur than somebody excited about the daily grind of non-profit work of getting those billion OpenIDs used more every day, one day at a time.

Looking backwards, I think I need to be supremely amazed that this “silly” idea has had such amazingly powerful legs to walk that far. To be clear, if I hadn’t thought of it (and my wife Tammy hadn’t prototyped it), somebody else would have within a couple of years, most likely. And many, many people brought their ideas into the picture without which we would not have come to where we are. Thank you all, this is a story of collective barnraising. Success always has many fathers parents, and I mean that sincerely; in this case probably about a dozen. But still, it’s amazing to look back and trace a straight line over 5 years to the idea of the barn in the first place, and its basic architecture. Here it is, the barn, 5 years later, a billion strong. Not many times that anybody can claim to have had a hand in sparking something that became billions.

The jury is still out whether any meaningful money can be made around this. But I’m getting more optimistic: a billion is hard to ignore, in particular if all major players are on board, which they are. So going into 2010, I’m feeling like it’s time to do some serious business, and I think I know just where to start (contact me if you like)

So far, so good

Happy Holidays to you all!!

Yesterday, the OpenID Foundation (OIDF) published its review of 2009. The numbers mentioned in the blog post look great. Having over 1 billion OpenID enabled accounts worldwide and over 9 million sites that let users log in with an OpenID are truly impressive numbers. Also it is a great list of companies providing or consuming OpenID.

I also applaud the OIDF for cooperating with the US government and initiating a strategy where OpenID logins on federal government websites become reality. It is a great way to help citizens engage with government agencies because they don’t need to register again just to gather some information, making an appointment and what not. Hopefully, this will become a blueprint for other governments as well.

However, having a closer look at the blog post, it becomes apparent that all that glitters is not gold. At least in my opinion.

• Some of the mentioned OpenID providers like German GMX and Web.de are hardly recognizable as providers. Users can only use credentials of those email providers on Facebook. Well, actually (automatic) login only works if users are already logged in to those providers and Facebbok makes a checkid_immediate call. Having login credentials that only work for one website? Interesting concept.
• Many big and small companies are mentioned that accept OpenID. However quite a lot of them rely on JanRain’s RPX. There is nothing wrong with it. JanRain is about the only small, independent OpenID company that established a viable business model with RPX.

  But RPX is not only featuring OpenID as a login option but also Facebook Connect and Twitter among others. And some of the companies listed in the blog post don’t even allow logins with custom OpenIDs. Just have a look at the Wetpaint and Qype login screens:

  

  Wetpaint

  

  Qype

  Yes, Yahoo!, MySpace, and Google logins are based on OpenID but users cannot use a custom OpenID.

• And some of the mentioned companies have not even deployed OpenID yet, e.g. German Scout24, a subsidiary of Deutsche Telekom. If I got things right, Scout24 will also use RPX.

Yes, OpenID progressed in 2009. Though the technology has become more hidden, either behind obscure provider implementations like at GMX or behind buttons and logos of big vendors like Yahoo! and Google. Actually, it is not bad that technology becomes less obvious for users but the original idea of OpenID is gone as well: Having a URL

To empower individuals to define and offer and enforce their own terms in their interactions with others. To not merely be somebody’s user or consumer, but to be a first-class citizen of the net. To not be at the mercy of any government or organization.

as Johannes Ernst wrote in a recent blog post.

It’s been an exciting year. A number of initiatives that were started in 2008 had a direct impact on the success of the platform in the past year, so many thanks to all the organizations and individuals who have contributed.  Here’s a quick summary of the state of OpenID.

• There are over 1 billion OpenID enabled accounts from the following providers worldwide: 
  • US: AOL, Blogger, Flickr, Google, LiveJournal, MySpace, Verisign, WordPress, and Yahoo
  • Europe: France Telecom, GMX/Web.DE, Hyves, Netlog, and Telecom Italia
  • Japan: Livedoor, mixi, NEC Biglobe, Rakuten, and Yahoo! Japan

• There are over 9 million websites utilizing OpenID for registration and login on some portion of their websites across a wide range of organizations including Sears, Kmart, Universal Music Group (200+ Interscope, Geffen, A&M labels and artists), FoxNews, EMI, TwitterFeed, RedPlum, Savings.com, DC Shoes, CitySearch, Zappos, Nike, Microsoft, Mint, Nokia, Random House, Sony BMG, Café Press, TweetDeck, ViewPoints, Qype, Scout24 (Deutsche Telecom), Avro, Associated Northcliffe Digital, Smart.fm, Hokkaido Television Broadcasting, OnGen, 2-han.net, Nikko Hotels, ClipCast, Facebook etc.

• Microsoft, NTT Docomo, PBS, and PayPal have also announced plans to OpenID-enable their users adding hundreds of millions of additional OpenID enabled accounts

• Several organizations are using OpenID internally for federated ID management: Amazon, Japan Airlines International, National 4-H, SAP, Sun Microsystems, and PBS

• The US federal government has announced its intention to deploy OpenID on federal websites.  During two separate meetings with Vivek Kundra, the Federal CIO, he explained that a major priority for the federal government is transparency and “citizen engagement.” Accordingly, the government is aggressively pursuing open standard technologies that enable and support these objectives.  At the Gov 2.0 Summit in Washington DC, the General Services Administration and several government agencies announced their plans to adopt OpenID as part of the White House’s Open Government Initiative.  This announcement followed several months of research and discussion between the OpenID Foundation, OIDF member companies, the GSA, NIST, OMB, the InfoCard Foundation, and various government agencies.  The Identity, Credential, and Access Management (ICAM) committee of the GSA published its Identity Scheme Adoption Process, Trust Framework Provider Adoption Process, and OpenID 2.0 Government Profile documents over the last several months.  Initial identity providers include Yahoo, Google, AOL, Verisign, and PayPal who are undergoing certification processes defined in the TFPAP.  The first wave of federal websites to accept these identity providers will include the Center for Information Technology (CIT), National Institutes of Health (NIH), U.S. Department of Health and Human Services (HHS), and related agencies.

• A large number of market leading web platform providers have also integrated OpenID including Disqus, Drupal, GetSatisfaction, Joomla, JS-Kit, Kickapps, Movable Type, Plone, Pluck, TypePad, UserVoice, Viewpoints, WetPaint, WordPress, and Zend.

• Shibboleth, an identity management system used by thousands of research institutions has announced that Shibboleth V2.X will integrate OpenID support.  The U.S. deployment of Shibboleth, InCommon, is a community of more than 4 million researchers, students, staff, and faculty across more than 180 institutions.  The OpenID Foundation worked closely with InCommon/ Shibboleth in developing trust frameworks for the US Government OpenID deployment.  Another example of how the OpenID Foundation and members are collaborating with a number of identity initiatives.

• The OpenID Foundation and member organizations continue to collaborate closely with other user managed identity open standards including OAuth, Portable Contacts, and Activity Streams to provide website operators and end users with even richer and mutually beneficial web experiences.  We believe that this decentralized, open-standards-based approach is ultimately in the best interest of website operators and end users alike, where both collaboration and competition can drive innovation, choice, and widespread adoption across multiple geographies/nationalities, application areas, and demographic segments.

Beyond these broad market developments and milestones, the following summarizes some specfic accomplishments in various categories:

• OpenID Foundation Organizational Developments.  As we mentioned at the end of 2008 and in early 2009, a lot of attention was required to develop an organizational capability commensurate with the growing role and needs of the Foundation.
  • At the end of 2008 we completed our first open board elections for 2009 and subsequently elected an executive committee.
  • We were fortunate to be able to hire Don Thibeau as our new Executive Director.  Don was formerly VP Business Development at TransUnion and Executive Vice President at Qsent
  • We retained Global Inventures as our Foundation platform infrastructure partner.  Global Inventures manages the back office operations of over 20 organizations including HDMI, HomePlug Network, Open Grid Network, PC Gaming Alliance, SD Card Association, and the ZigBee Alliance
  • We established a 2009 operational and financial plan, balanced costs and income even with the unplanned costs for US Government OpenID pilot programs
  • We added Nat Sakimura as International Liaison to OpenID Foundation Board Executive Committee
  • The bylaws and IPR agreements were updated
  • We added three new sustaining members: PayPal, Facebook, and Booz Allen Hamilton
  • We established the User Interface, OpenID/OAuth Hybrid, and Contract Exchange working groups
  • The board developed a list of key priorities for 2010

• Market Outreach.  A key goal for 2009 was to increase awareness, adoption and usage of OpenID.
  • OIDF’s Executive Director and several board members represented OpenID with analysts like Gartner and led a new industry collaboration with key identity ecosystems organizations like InCommon, Kantara, Oasis, and others at key public and private sector events.
  • We participated in several industry events including Internet Identity Workshops, RSA Conference, Transparency Camp, Government 2.0, and others
  • Yahoo and Facebook each hosted and led User Experience Summits at their respective facilities
  • Yahoo held an OpenID Summit just before Internet Identity Workshop
  • BBC and JanRain hosted a Content Provider Committee meeting in NYC and several members participated in an Online Retailer Advisory Committee session
  • Sears, Yahoo, and JanRain are scheduling the next UX Summit at Sears Usability Lab in February in Chicago
  • We executed two significant updates to the OIDF website led by Chris Messina with support from Global Inventures and JanRain
  • Several individual community candidates for the 2010 board elections represent experience with broader industry and geographic coverage – Media (NY Times, NPR, PBS), Commerce (Sears), International (Deutsche Telekom, Switzerland, Estonia, Netherlands, India, etc.)

• Federal Government.  While this opportunity wasn’t on our roadmap at the beginning of the year, the Foundation responded quickly and aggressively to requests from the government to adopt OpenID for use on federal government websites.
  • OIDF’s Board of Directors responded to the invitation of the US CIO, Vivek Kundra, and significantly influenced the government’s plans for technical and policy interoperability of internet identity.
  • We worked with GSA, NIST, OMB, NIH, HHA, CIT, and ICF to deploy pilots for three federal government agencies
  • 5 industry leading identity providers are supporting the OIDF’s training and technical assistance for testing a government-wide technology profile for OpenID in pilot applications in support of the US NIH iTrust Program: Google, Yahoo, AOL, Verisign, and PayPal
  • OIDF’s Chairman, Executive Director and outreach committee members were quoted in numerous trade, government and mainstream press regarding the US GSA’s “Open Identity for Open Government Initiative”  
  • The OIDF is evaluating mechanisms to deliver the organizational capability required to provide ongoing OP certification services for the federal government and eventually other commercial applications

• OP Progress.  All the major OpenID Providers have significantly improved the richness and usability of their offerings (OP capability summary to be published shortly)
  • MySpace became an OpenID provider
  • Facebook became an OpenID relying party
  • PayPal became and OP for the federal government pilot
  • Google converted over 1 million Google Apps clients into OpenID providers
  • Microsoft committed to becoming an OpenID Provider in 2010
  • AOL committed to migrating to OpenID 2.X in 2010

• Security Progress. Monitoring and continuous improvement in safety and security of the OpenID platform continues to be an area of emphasis for the Foundation.  The following summarizes some important developments during the period. 
  • Andrew Nash of PayPal was selected to head the Security Committee.  Other members include: Eric Sachs, Nat Sakimura, Tony Nadalin, David Recordon, Eddy Nigg, John Bradley, Nate Klingenstein, and Philip Hallam-Baker
  • Working groups were formed and specification development has progressed for both the PAPE and Contract Exchange OpenID extensions
  • Per the Federal Government section above, the OpenID Foundation and Information Card Foundation have been working with the GSA, NIST, and others on trust and security frameworks for federal government deployment pilots.  It is expected that the trust frameworks and certification programs developed for this application will be extensible to other commercial and private sector applications where enhanced security requirements are relevant.

As you can see, the rate of progress has accelerated in 2009 and we expect it to continue in 2010.  We thank member organizations and individuals for their input and contributions, and look forward to even more support in the coming year.   Remember you can contribute via mailing lists, technical working groups, and standing committees so please stay or get involved to help us realize the full potential of the OpenID platform.

Best wishes for a great holiday season and new year.

Brian Kissel

Chairman, OpenID Foundation