Tips: Strategies for Web Hosting and Managed Services

On Liberty and the Case for Anonymous Federation of Identity

Last month I promised to post my comments on the Liberty Alliance Version 1.0 Architecture Overview. In short, I think the Alliance has done a fine job of designing a system for federated identity, but I have serious reservations regarding the concept as a whole. I believe Liberty is unnecessary and a threat to consumer privacy, and that alternatives exist that can deliver a majority of Liberty's benefits without the drawbacks.

Federated Identity

Don't be afraid. Try it. Click on the button, then come back and read more.

If you clicked on the button, you were taken to Amazon.com, and a copy of my first book was put into your Amazon.com shopping cart. Think I'm kidding? Click on the button again and then on Edit Shopping Cart. Not only is my book in the shopping cart, but if you're a regular Amazon.com customer (i.e., if there's an Amazon.com cookie stashed in your browser's files), it's in your shopping cart. The shopping cart knows your name, address, credit card info, and more. (Yes, you can remove the book from your shopping cart it if you already have a copy. :-))

What do you think? Cool? A little bit creepy? Downright frightening? How did my web site know who you were? Even if you subscribe to my free newsletter, I don't use cookies, so I don't know your identity. This is an example of what I call anonymously federated identity, and I'll discuss it in greater detail shortly. (There's an explanation* at the end of this essay on the Amazon.com technology.)

My Objections
My problem with the concept of federated identity is that despite claims to the contrary, it's almost exclusively merchant-serving. It contains virtually no benefits for the consumer. From the Liberty Architecture Overview document:

Federated network identity is the key to reducing this friction and realizing new business taxonomies and opportunities, coupled with new economies of scale...[it creates a] rich, fertile federated identity infrastructure...

Today, users' accounts are scattered across isolated Internet sites. Thus the notion that a user could have a cohesive, tangible network identity is not realized.

Who says consumers want a network identity? Why is that a good thing? I suggest it's unwanted, unnecessary and dangerous.

Claimed Consumer Benefit #1: Liberty Enhances Your Privacy
The first objective listed by the Liberty Alliance is to "enable consumers to protect the privacy and security of their network identity information."

I've read all 41 pages of the Overview, and I've found nothing that would enhance my privacy or the security of my personal information. Nothing. In fact, all I've discovered are new ways in which my privacy and security can be compromised.

Any time previously segregated elements of my identity or my personal attributes can be combined, my privacy is threatened. The classic example is that a healthcare insurance company or potential employer might discover that I was the same person who researched AIDS or cancer on line, and exploit that knowledge--without my permission--to my detriment. The more information about me that's available in one place, the greater the risk to me. Segregation of data enhances privacy. It's fundamental.

Liberty doesn't improve authentication or encryption. I would continue to log onto web sites using the same username/password pairs as I always have. However, if someone is able to impersonate me at one web site, Liberty would allow that person to impersonate me at other web sites without their having to log into them explicitly. Federation expands the scope of damage due to identity theft.

Call me a skeptic (I am), but I don't care how many times companies and governments swear my privacy will be protected, I don't believe them. Some of them I just don't trust. Others mean well, but have already proven they're vulnerable to hackers. And in a world where privacy policies are "subject to change," who can keep track of them all? If a company goes bankrupt, will my identity be auctioned off to the highest bidder? Ultimately, there's only one solution: Merchants can't lose or abuse information they don't have. It's in my best interest to give them only what they need in order to do what I want them to do.

[Don't forget that just last month, Microsoft agreed to 20 years of independent audits of Passport to settle charges that it falsely misrepresented the privacy and security of personal information collected from consumers.]

Claimed Consumer Benefit #2: Single Sign-On Is a Convenience
I see no net value (i.e., after weighing the risks) in single sign-on for accessing public web sites. It's great for the vendors, but how does it help me?

The example used most-often is the sharing of identities between an airline web site and one belonging to a rental-car company. In the Liberty scheme, after logging into the first site, I must grant permission to link my identities between the two sites, then log into the second. I've will already have had to take extra steps and make at least one decision. Not much benefit so far.

The second time I click from United to Avis, does it matter to me that I don't have to log in? My web browser already does a decent job of remembering usernames and passwords for me. What would I give up to be able to skip this step? Not much.

How important is it to me that United and Avis have this partnership on an ongoing basis? I may have an allegiance to United based on frequent flier miles, but I'm not as loyal to any rental-car company, and suppose I'm loyal to Hertz rather than to Avis? Doesn't the United/Avis partnership restrict rather than increase my choices?

If it's one-stop-shop convenience I want, I'm more likely to go to an integrated travel site like Travelocity or Expedia, rather than start with United. At the integrated sites I don't need to share my identity. I can book air travel, cars and hotels at a single site with a single sign-on, and the site remembers all of my preferences, frequent flier numbers, etc.

Furthermore, at integrated travel sites I can shop for best prices. That's more important to me than the affiliate relationship between vendors who want to share my identity. Liberty-based federations don't help me find lower prices. Quite the contrary: Their purpose is to build larger and more dominant partnerships that, in turn, lead to less competition and higher prices.

Claimed Consumer Benefit #3: Targeted Marketing Is Good For You
I don't buy it. Yes, all other things being equal, I'd probably rather be subjected to ads for goods and services along the lines of my personal interests, but not if it requires any extra effort on my part, and certainly not if it in any way compromises my privacy.

The Anonymous Federation Alternative
Consider alternatives that retain the current levels of consumer privacy protection, yet deliver to vendors and merchants most of the capabilities they claim they need. The Amazon.com affiliate program, described in more detail below*, is a good example.

It's easier for the consumer. The opt-in step is implicit in the click-through.

It's easier for the vendors. The technology is trivial by comparison to Liberty, and the business decisions and relationships are identical to those under Liberty.

It supports data exchange. If the consumer opts in, data from the first site can be passed to the second via the HTTP POST command. (In the Amazon.com example, the ASIN number of a book and the id of the affiliate web site are passed. It's just as easy to pass encrypted captured personal information in this manner, if desired.) Note that in any case--fully federated or anonymous--it's incumbent upon the merchants to explain what data will be shared with others. There are no guarantees, only promises.

It improves consumer-privacy granularity. The data exchanged can be limited to that which is required for a particular transaction rather than the blanket exchange of identity. Most affiliated-party transactions require the exchange of very little information. Consider the United/Avis example. If I'm on the United web site and want to reserve a car at my destination, what needs to be passed? Perhaps my arrival time and flight number, but that's not part of my identity. Maybe my United frequent-flier ID number needs to be passed so that I'll receive the incentive. But that's all. According to the Liberty specification, Avis must know who I am to begin with. And if they need my credit-card number, I can give it to them once and for all. I'd rather do that than authorize United to give it to Avis on my behalf.

In Summary
Didn't we learn anything from our failed experiments with wallets? [Microsoft is as it again!] At the end of the day, people don't find the inconvenience of using a credit card on line to be a significant obstacle to purchasing. Or those that do find it objectionable aren't going to use something that's even more complex such as a wallet or approved federated links.

Liberty 1.0 doesn't cut it. It won't enhance consumer privacy. Single sign-on isn't worth the extra initial steps a consumer will be asked to take, and the benefits don't outweigh the risks to privacy and security.

I can see why it's attractive to some vendors, particularly those who want to create brand-driven partnerships in lieu of open price competition. But I expect we'll hear more from consumer's rights groups on this very topic.

Liberty may have a role in intranet environments. But on the other hand, other solutions to that problem already exist as well.

* The Amazon Example
The button at the top of this essay is based on a very simple HTML interface to Amazon.com. The company refers to it as part of its web-services interface, but it's not truly a web service. Here's the HTML in its entirety:


   <form method="POST"
   action="http://www.amazon.com/o/dt/assoc/handle-buy-box=0471085782">
   <input type="hidden" name="asin.0471085782" value="1">
   <input type="hidden" name="tag-value" value="rds-20">
   <input type="hidden" name="tag_value" value="RDS-20">
   <input type="submit" name="submit.add-to-cart"
   value="Click Here to See an Example">
   </form>

Clicking on the button takes you to the Amazon.com web site via an HTTP POST request that includes the ASIN number of my book and my Associates ID, "RDS-20" The latter is included so that I get credit for your purchase if you do indeed buy. Along with this information, your browser will send to the Amazon.com web site the contents of your Amazon.com cookie, if one is stored on your computer. That's how Amazon knows who you are. They already have your identity; they receive the ASIN number; and in goes my book to your shopping cart. Nothin' to it.

The reason it's anonymous federation, however, is that I have no idea this transaction has occurred. I don't know whether you clicked on the button or not, because your browser goes directly to Amazon.com's web site. And although Amazon.com knows your identity via the cookie it left on your computer, my web site can't read that cookie, so I don't know who you are. In full (non-anonymous) federation, there's a persistent link between an identity on one web site with an identity on another. In anonymous federation, no such persistent link is created.

Personal Credentials
While I'm no heavy-hitter in the world of identity, it's an area I've been thinking about for many years. In 1999 I was the CEO-to-be for a stillborn startup company whose charter was to link (federate) identities between the on- and off-line worlds. Our partner/investors included one of the major consumer-credit information database owners and one of the on-line advertising/tracking companies. The concept was simple: If we could link an on-line identity (known via cookies) with an off-line identity (name, postal address, Social Security Number [in the U.S.], etc.) we would have a very valuable tool for targeted marketing, both on and off line. But before we could put it together, DoubleClick got into trouble for doing essentially the same thing, and we were glad they blew it on their dime, rather than we on ours. I personally "opted out" of the project, which subsequently died. But a lot of thought by some very smart people went into the plan, and we learned a great deal along the way.

Doug Kaye, 04 September 2002

Reactions to On Liberty. My inbox was busy this week. I received more feedback on my essay on the Liberty Alliance than regarding any other topic I've addressed in my weblog or newsletter. Much of it was in private email, so I can't quote it, and most (but not all) was supportive. I heard from some heavy hitters in the world of security and digital identity including Andre Durand (of pingid.org), Eric Norlin (Digital ID World), Jiri Ludvik (who publishes a security weblog), Gerry Gebel (Burton Group), and Brent Sleeper (The Stencil Group).
Posted Tuesday, September 17, 2002 5:55:58 PM

Glenbrook Partners on Liberty. Scott and Russ have posted their critique of my analysis of the Liberty Alliance 1.0 documents. Just a few points in rebuttal:

Regarding the benefits of single sign-on for mobile devices or cross-platform identities, if that's the objective, there are ways to accomplish this without the drawbacks of Liberty. I'll have more to say on this later, but for now, just imagine RoboForm, based on ECML, and linked to an encrypted identity database that's accessible from any client or platform and that only the consumer can read.
"No actual individual identity information is shared between identity provider and service provider." True, but I'm not worried about the cooperating parties. It's that once someone has gained access to my account at the identity provider, he can access all of my other accounts within the circle of trust without the need for usernames or passwords. Prior to federation of my identity, this wasn't possible unless I was foolish to use the same username and password on each of the sites. (See my description of the Compartmentalization Attack.)
The Glenbrook paper claims that issues surrounding target marketing are "tangential to the mission and objectives of the alliance." I disagree. As I wrote in my original essay, I believe (and I think substantiate) targeted marketing and creating new ways to sell goods and services to consumer are precisely the objectives of the Liberty Alliance. Why else would they do this? If you think it's for the altruistic good of the consumer, do you believe the same about Passport or the new MSN Wallet? (Not me.)

Posted Tuesday, September 17, 2002 5:32:03 PM

The Digital ID Federation Myth. Erick Herring wrote in January 2003, "The Digital ID federation concept sounds attractive, but doesn't include the customers, whose voice and stake in the game are like American Indians in post-Civil War America. Just because the federation issues get ironed out doesn't mean they'll do us any good." This has been my gripe with The Liberty Alliance (and others). The Liberty specifications look pretty good from a technical perspective. But I take issue that the organization and its members are pitching this as a benefit to consumers. That's pure spin, and I wish they'd admit it. Outside the corporate firewall (i.e., when used for public web sites) the primary beneficiaries of federated identity are the merchants, *not* the consumers. Indeed, I assert that for consumers, the risks outweigh the benefits. The technology is great, but let's tell it like it is.
Posted Tuesday, April 29, 2003 5:55:07 PM