Blessed are the Doers for They Shall Inherit the Ecosystem

Pilots and problem solving, like science experiments, don’t always work as expected. But we always publish results in the hope we can advance the conversation. OIX takes on the hardest problems in identity like liability. We enable competitors to collaborate through a remarkable IPR container used by global leaders.

OIX has helped pilots involving shared signals and Mobile Network Operators across borders. Years ago, Google and Verizon collaborated on an OIX pilot called “Street Identity” sorting out the issues of binding a physical “street” address with an online address like an email account. It was an agile, “Googley” approach; market test a hypothesis, see it works and then “wash, rinse and repeat.”

And of late we’ve turned our attention on how best to verify the identities of the disadvantaged, the “thin file” demographics. There’s been a lot of recent discussions on helping disadvantaged citizens AKA the under-banked, the ‘thin files’ folks unable to participate fully in government-to-citizen services online. It’s a growing problem common to governments and Internet identity systems worldwide.

OIX Board member companies like Equifax, Experian and LexisNexis are building commercial data solutions that address the verification of the ‘thin file’ demographic. CA Technology, Microsoft and others provide the enterprise systems at scale that support attribute exchange across populations. Ping Identity, Verizon and others are looking at extending attribute provisioning into national health care systems.

These members have in common is that they are all involved in the GOV.UK Verify program at the same time exploring similar propositions with Federal and State officials in the US. The ROI of delivering G2C services is compelling and happening now. It seems the right thing to do and an economically sensible area to explore.

We’ll build on the OIX’s GOV.UK Verify pilots and White Papers. The idea is simple – learn from UK Pilots in South Yorkshire, Warwickshire, etc. to inform pilots in the US.

Truth be told, innovations occur where the rubber hits the road, at the state, local and municipal levels. Whether in Warwickshire or Pennsylvania, South Yorkshire or Virginia, British Columbia or Texas, that’s where real problems in verifying identity gets solved; its where Internet identity isn’t aspirational its critical.

Toward a Modern Magna Carta for Internet Identity

Many have noted similarities in the work of the US National Strategy on Trusted Identity in Cyberspace’s via its Identity Ecosystem Steering Group, and in the UK via HMG Cabinet Office Identity Assurance Program via its Identity Steering Group.

After the recent US National Strategy on Trusted Identity in Cyberspace Plenary in Atlanta, I attended meetings in London that focused on how the progress and precedents in GOV.UK Verify can inform business cases for identity services across both public and private sectors. The common denominator is a need for a private sector led, public private partnership, that helps accelerate the volume, velocity and variety of Internet transactions while recognizing government’s role in protecting the security and privacy of its citizens.

At an Open Identity Exchange (OIX) speaker’s dinner preceding a big tech entrepreneurs’ conference at the Royal Institute of Great Britain, industry leaders and investors from British banks and Silicon Valley talked about how best to grow bespoke services in the UK that interoperate with global identity ecosystems. There was begrudging acknowledgement that emerging UK identity services markets risk being dominated by a small group of US companies whose “walled gardens” and proprietary standards limit the upside and expansion for established and entrepreneurial enterprises alike in Britain.

All the attendees acknowledged that leveraging GOV.UK Verify as a catalyst for commercial services pivots on issues around how identity services that serve government might be repurposed for commercial applications. Put another way; what are the rules of the road in the UK for the reuse of government approved identity services?

The need for guidelines for the Internet—a Magna Carta, of sorts—was part of a discussion with Baroness Martha Lane Fox and others on the BBC recently. (http://www.bbc.co.uk/programmes/b048l00t). A week later in Silicon Valley, President Obama called for new cooperation to wrangle the Wild West of the Internet. (http://www.nytimes.com/2015/02/14/business/obama-urges-tech-companies-to-cooperate-on-internet-security.html?_r=0)

Francis Maude, the Minister for Cabinet OfficeHMG Minister for Cabinet Office Francis Maude reminded us before the dinner that all stakeholders have much to gain by a public-private partnership like OIX. It can help develop, deploy and govern a set of scheme rules that clarify and articulate the business, technical and legal interoperability requirements needed for robust business cases. The Right Honorable Francis Maude’s remarks  reminded many of us of his “JFDI” reference at the first Economics of Identity conference held last June in London.

Minister Maude eschewed that particular exhortation in his keynote last week, but his message was clear: British taxpayers will be well served by the efficiencies of the Government Digital Service (GDS) GOV.UK Verify program, as well as the catalyst it can provide to the emerging identity services in the UK private sector.

During the OIX member meetings that followed, GDS leader Chris Ferguson pointed to the challenge of starting with government procurement language to inform a public and private sector set of scheme rules.

The OIX Advisory Board noted the success of trust frameworks underway via the Transglobal Secure Collaboration Participation (TSCP) in defense and aerospace, and with the SAFE-BioPharma Association in the biopharmaceutical and healthcare sectors. Today these organizations provide identity federation services that are the rules of the road necessary to govern their sectors’ commercial Internet identity systems.

OIX UK is beginning to organize what we call a “scheme rules sprint” using a proven multi-stakeholder collaboration process that solves a specific and common problem. The process is key, as we take on the forcing-functions of transparency and a second annual Economics of Identity Conference on Canary Wharf on June 30 of this year. This work, like all others, will follow the now time-tested process set out in the UK Identity Steering Group, ensuring transparency and deliverables as we would expect with any government and Open Identity Exchange led project.

It is terribly presumptuous to compare our modest scheme rules or trust framework development efforts to a modern Magna Carta. But as they say in the UK, it’s a direction of travel, a way to honor the original Magna Carta on its anniversary and a road worth taking.

Don Thibeau
The Open Identity Exchange

The Name is the Thing: “The ARPU of Identity”

The name is the thing. The name of this Open Identity Exchange White Paper, the “ARPU of Identity”, is deliberate. ARPU, Average Revenue Per User, is one metric telcos use to measure success. By deliberately using a traditional lens that telcos use, this paper puts emerging Internet identity markets into a pragmatic perspective. The focus of the white paper is on how mobile network operators (MNOs) and other telcos can become more involved in the identity ecosystem and thereby improve their average revenue per user, or ARPU. This perspective continues OIX’s “Economics of Identity” series, or as some call it the “how do we make money in identity” tour in the emerging Internet identity ecosystem. OIX commissioned a white paper reporting the first quantitative analysis of Internet identity market in the UK, where HMG Cabinet Office hosted workshops on the topic at KPMG’s headquarters in London and at the University of Washington’s Gates Center in Seattle.

The timing of this paper on business interoperability is coincidental with work groups in the OpenID Foundation developing the open standards that MNOs and other telco players will use to ensure technical interoperability. GSMA’s leadership with OIX on pilots in the UK Cabinet Office Identity Assurance Program and in the National Strategy on Trusted identity in Cyberspace offer opportunities to test both business and technical interoperability leveraging open standards built on OpenID Connect. The timing is the thing. The coincidence of white papers, workshops and pilots in the US, UK and Canada with leading MNOs provides a real-time opportunity for telcos to unlock their unique assets to increase ARPU and protect the security and privacy of their subscribers/citizen.

In my OpenID Foundation blog, I referenced Crossing the Chasm, where Geoffrey A. Moore argues there is a chasm between future interoperability that technology experts build into standards and the pragmatic expectations of the early majority. OIX White Papers, workshops and pilots help build the technology tools and governance rules needed for the interoperability to successfully cross the “chasm.”

Several OIX White Papers speak to the “supply side” how MNOs and others can become Identity Providers (IDPs), Attribute or Signal Providers in Internet identity markets. Our next OIX White Paper borrows an industry meme (and T-Shirt) for its title, “There’s No Party Like A Relying Party”. That paper speaks to the demand side. Relying Parties, (RPs) like banks, retailers and others rely on identity attributes and account signals to better serve and secure customers and their accounts rely on technical, business and legal interoperability.

By looking at the “flip sides” of supply and demand, OIX White Papers help us better understand the ARPU, the needs for privacy and security and the economics of identity.

Don

Crossing the Chasm of Consumer Consent

This week Open Identity Exchange publishes a white paper on the “ARPU of Identity”.   The focus of the white paper is on how MNOs and telecommunications companies can monetize identity markets and thereby improve their average revenue per user, or ARPU.   Its author and highly regarded data scientist, Scott Rice, makes a point that caught my eye. It’s the difficulty in federating identity systems because consumer consent requirements and implementations vary widely and are a long way from being interoperable. It got my attention because Open Identity Exchange and the GSMA lead pilots in the US and UK with leading MNOs with funding in part from government. The National Strategy on Trusted identity in Cyberspace and UK Cabinet Office Identity Assurance Program are helping fund pilots that may address these issues. Notice and consent involves a governmental interest in protecting the security and privacy of its citizens online. It’s a natural place for the private sector to leverage the public-private partnerships Open Identity Exchange has helped lead.

Notice and consent laws have been around for years.  The Organization for Economic Co-operation and Development, or OECD, first published their seminal seven Privacy Guidelines in 1980.  But in 1980, there was no world wide web nor cell phone.  Credit bureaus, as we know them today, didn’t exist; no “big data” or data brokers collecting millions of data points on billions of people.  What privacy law protected then was very different than what it needs to protect now.  Back then, strategies to protect consumers were based on the assumption of a few transactions each month, not a few transactions a day.  OECD guidelines haven’t changed in the last 34 years. Privacy regulations and, specifically, the notice and consent requirements of those laws lag further and further behind today’s technology.

In 2013 (and updated in March of this year), OIX Board Member company Microsoft, and Oxford University’s Oxford Internet Institute (OII) published a report outlining recommendations for revising the 1980 OECD Guidelines.  Their report makes recommendations for rethinking how consent should be managed in the internet age.  It makes the point that expecting data subjects to manage all the notice and consent duties of their digital lives in circa 2014 is unrealistic if we’re using rules developed in 1980.  We live in an era where technology tools and governance rules assume the notice part of “notice and consent” requires the user to agree to a privacy policy.  The pragmatic choice is to trust our internet transactions to “trusted” Identity Providers (IDPs), Service Providers (SPs) and Relying Parties (RPs). The SPs, RPs, IDPs, government and academic organizations that make up the membership of Open Identity Exchange share at least one common goal: increasing the volume, velocity and variety of trusted transactions on the web.

The GSMA, Open Identity Exchange and OpenID Foundation are working on pilots with industry leading MNOs, IDPs and RPs to promote interoperability, federation, privacy and respect for the consumer information over which they steward.  The multiple industry sectors represented in OIX are building profiles to leverage the global adoption of open standards like Open ID Connect. Open identity standards and private sector led public-private partnership pilots help build the business, legal and technical interoperability needed to protect customers while also making the job of being a consumer easier.

Given the coincidence of pilots in the US, UK and Canada over the coming months, it is increasingly important to encourage government and industry leaders and privacy advocates to build on interoperability and standardization of consumer consent and privacy baked into standards like OpenID Connect brings to authentication.

Don

Crossing the Chasm In Mobile Identity: OpenID Foundation’s Mobile Profile Working Group

Mobile Network Operators (MNOs) worldwide are in various stages of “crossing the chasm” in the Internet identity markets. As Geoffrey A. Moore noted in his seminal work, the most difficult step is making the transition between early adopters and pragmatists. The chasm crossing Moore refers to points to the bandwagon effect and the role standards play as market momentum builds.

MNOs are pragmatists. As they investigate becoming identity providers, open standards play a critical role in how they can best leverage their unique technical capabilities and interoperate with partners. The OpenID Foundation’s Mobile Profile Working Group aims to create a profile of OpenID Connect tailored to the specific needs of mobile networks and devices thus enabling usage of operator ID services in an interoperable way.

The Working Group starts with the challenge that OpenID Connect relies on the e-mail address to determine a user’s OpenID provider (OP). In the context of mobile identity, the mobile phone number or other suitable mobile network data are considered more appropriate. The working group will propose extensions to the OpenID discovery function to use this data to determine the operator’s OP, while taking care to protect data privacy, especially the mobile phone number. We are fortunate the working group is led by an expert in ‘crossing the chasm’ of email and phone number interoperability, Torsten Lodderstedt, Head of Development of Customer Platforms at Deutsche Telekom who is also an OpenID Foundation Board member.

The Working Group’s scope is global as geographic regions are typically served by multiple, independent mobile network operators including virtual network operators. The number of potential mobile OPs a particular relying party needs to setup a trust relationship with will likely be very high. The working group will propose an appropriate and efficient model for trust and client credential management based on existing OpenID Connect specifications. The Foundation is collaborating with the Open Identity Exchange to build a trust platform that combines the “rules and tools” necessary to ensure privacy, operational, and security requirements of all stakeholders.

Stakeholders, like service providers, may likely have different requirements regarding authentication transactions. The OpenID Connect profile will also define a set of authentication policies operator OP’s are recommended to implement and service providers can choose from.

This working group has been setup in cooperation with OpenID Foundation member, the GSMA, to coordinate with the GSMA’s mobile connect project. We are fortunate that David Pollington, Senior Director of Technology at GSMA, and his colleagues have been key contributors to the Working Group’s charter and will ensure close collaboration with GSMA members. There is an importance coincidence of the GSMA and OIX joint leadership of mobile identity pilots with leading MNOs in the US and UK. All intermediary working group results will be proposed to this project and participating operators for adoption (e.g. in pilots) but can also be adopted by any other interested parties. The OIX and GSMA pilots in the US and UK can importantly inform the OIDF work group standards development process. That work on technical interoperability is complemented by work on “business interoperability.” OIX will publish a white paper tomorrow, “The ARPU of Identity”, that speaks to the business challenges MNOs face leveraging the highly relevant and unique assets in Internet identity.

The OpenID Foundation Mobile Profile Working Group’s profile builds on the worldwide adoption of OpenID Connect. The GSMA and OIX pilots offer an International test bed for both business and technical interoperability based on open standards. Taking together with the ongoing OIX White Papers and Workshops on the “Economics of Identity”, “chasm crossing” is within sight of the most pragmatic stakeholders.

Don

Standing Out and Delivering: OIX in a Crowded and Noisy Ecosystem

In a world where we constantly receive information at an ever-increasing rate, it’s hard for any one organization to stand out. It’s harder still to hold the attention of OIX members. They are a smart and sophisticated bunch when it comes to Internet identity. OIX members include industry leaders, venture-backed start-ups, universities and governments who are all focused on how to grow the volume, velocity and variety of trusted transactions on the web. So, I am thankful to the OIX members that joined the 2014 Member Meeting yesterday.

OIX is taking on some of the toughest obstacles to building trust in online identity. I highlighted the OIX pilot projects, white papers and workshops that contribute to containing costs and mitigating risk in deploying today’s Internet identity systems. I also teased the news of a team of rival global industry leaders joining together to bring to the market new options for certification and standards. The 2014 OIX Member Meeting presentation has been posted.

At the Member Meeting, I asked a favor: please take a few minutes to complete the OIX Member Survey that you recently received via email. OIX offers industry members the chance to shape the market they wish to lead. Your feedback helps shape OIX to meet your needs and the needs of your organization.

See you soon,
Don

General Availability of Microsoft OpenID Connect Identity Provider

Microsoft has announced the general availability of the Azure Active Directory OpenID Connect Identity Provider.  It supports the discovery of provider information as well as session management (logout).  On this occasion, the OpenID Foundation wants to recognize Microsoft for its contributions to the development of the OpenID Connect specifications and congratulate them on the general availability of their OpenID Provider.

Don Thibeau
OpenID Foundation Executive Director

There’s No Party Like Relying Parties

At Internet Identity conferences, the mention of Relying Parties (RPs) often triggers looks of consternation among attendees and comments about why aren’t they here. The role of RPs, and the reluctance of organizations to fill this role, has become a critical constraint to the emerging identity ecosystem.

In the business models used by most companies, RPs end up footing the bill. Identity Providers (IDPs), Content Service Providers (CSPs), and Applications Providers (Aps) are all on the receiving end of revenue related to identity transactions. While it’s never hard to find help when there is money to be made, what can be done to bring RPs to the table when they know it is likely going to cost them just to sit down?

RPs have been the least involved in the identity ecosystem discussions and working groups. There are active pilot projects, but, more often than not, the RPs for these projects have been government or public sector entities. Cross-sector success hinges on commercial entities willing to create identity management services, and their willingness pivots on identity systems providing RPs with something valuable in exchange.

To gain insight into the motivations of public and private sector RPs, let’s look at the identity marketplace from their perspective; let’s see what they see. Technology-driven companies tend to come up with new solutions that provide new capabilities and convenience for users but often forget three important assumptions:

  1. RPs are asked to finance a solution that primarily benefits their users, not them.
  2. We tend not to ask the user who is receiving most of the benefit to pay because users, usually consumers, do not like to pay for services when they do not understand the value/benefit to them.
  3. Consumers tend not to understand the value of identity protection until their identity has been compromised.

The identity industry tends to target technology and compliance people in RPs instead of the person most concerned with customer experience: the CMO. CFOs want reduced costs. General Counsels want reduced liability. The CMO, however, is responsible for improving customer experience. Identity systems tend to focus on simplifying and streamlining the customer experience. Reductions in risk and fraud rates are positive outcomes, as is increased insight into customer intentions. This comes with acquiring the all important data attributes as part of an overall identity management strategy. But at the end of the day, RPs’ primary motivation for changing identity systems is to improve customer experience by reducing friction and improve profits by monetizing customer data.

With the exception of Facebook, many identity system providers don’t make it clear exactly what RPs can to do to take advantage of their platforms. And even if the steps are clear, is it reasonable to expect RP technology departments to support switching from their internal systems to an unfamiliar external vendor?

These are all reasonable questions and expose factors that affect commercial RP participation to one degree or another. OIX plans to research these questions, to explore RP requirements and suggest solutions in a new OIX White Paper. Theses OIX White papers on the demand (RP) side and the supply side (IDPs and RPs) will help meet the challenges facing RPs and other stakeholders in the emerging identity ecosystem.

US Government Office of the National Coordinator for Health Information Technology (ONC) Joins the OpenID Foundation

The Office of the National Coordinator for Health Information Technology (ONC) located within the Office of the Secretary for the U.S. Department of Health and Human Services (HHS) has joined the OpenID Foundation (OIDF). ONC is the principal federal entity charged with coordination of nationwide efforts to implement and utilize the most advanced health information technology for the electronic exchange of health information.

ONC is at the forefront of the Administration’s Health IT efforts and is a key standards development resource to the national health system to support the adoption of health information technology and the promotion of nationwide health information exchanges. Ms. Debbie Bucci will join the Board of Directors of the OpenID Foundation as the ONC representative.

Two key initiatives the ONC plans to undertake within the OIDF is to lead a Healthcare Information Exchange (HIE) working group to create a profile of OpenID Connect and follow-on associated pilot projects. Ms. Bucci, an IT Architect in the Implementation and Testing Division, is helping lead a profiling and interoperability testing effort at ONC and will be one of the leaders of the HIE working group activities.

Don Thibeau, Executive Director of the OIDF, pointed out that this public sector effort parallels the increasing global adoption among large commercial enterprises. Google, Microsoft, Ping identity, Salesforce, ForgeRock and others have embraced OpenID Connect as fundamental to their identity initiatives. Thibeau noted, “After the launch of OpenID Connect early this year, the OIDF finds itself working on one of the hardest use cases in identity; patient medical records at the same time as working on the platform of choice; the mobile device. Working with OIDF member organizations like the ONC, GSMA and others brings important domain expertise and a user-centric focus to these OIDF working groups. These standards development activities are loosely coupled with pilots in the US, UK and Canada.”

If you are interested in the HIE working group, please consider attending the OpenID Day on RESTful Services in Healthcare at MIT on September 19th in Cambridge, MA. This event will focus on emerging Web-scale technologies as applied to health information sharing. The focus will be on group discussion among MIT’s expert participants. The OIDF will follow its standards development process while MIT leads outreach and industry engagement. This day is part of the 2-day annual MIT KIT Conference at MIT on September 18-19. For more information on this event and to register, please visit http://kit.mit.edu/events.

Economics of Identity Workshops Off to a Successful Start

By all accounts our Economics of Identity series of workshops are off to a successful start. We kicked the series off in London where standing room only attendees “voted with their feet” by staying attentive to the end and where we generated more buzz than bloviation.

150+ attendees from private sector took to their seats on 9th June, when OIX UK presented the Economics of Identity hosted at the KPMG offices Canary Wharf, London. With a focus on uncovering what identity is worth to the UK economy, £3.3bn was the headline figure presented by Ctrl-Shift in their OIX white paper of the same name.

Panel discussions centered around the Identity Assurance Programme (IDAP) model of citizen, money and living, with Francis Maude, Minister for the Cabinet Office, and Chris Ferguson, Deputy Director of the Identity Assurance Programme, taking the stage first to talk about how the citizen’s needs are at the heart of making identity assurance work. What followed where speakers from banking, mobile, retail and startups, being quizzed in detail by columnist and editor Alex Howard, MC for the event, on their expert opinions.

The results of the UK’s first mobile network operator, collaborative alpha trial were warmly received by the audience, a demonstration showing the concept of enhancing the customer experience using PIN numbers and your mobile device to support identity verification, showing just how easy this could be.

The tweets were fast and furious through the day. Here are some of my favorites:

  • Francis Maude @cabinetofficeuk: ‘We’re building trust by being open – the sunlight of transparency is making things better.’ #econID
  • Charles Schwarz @BarclaysOnline: ‘This is about the best possible customer experience.’ #econID
  • @ahatami @LloydsBankCB: ‘We have to solve the #identity problem – not the customer.  We cannot burn the customer with complexity.’
  • Innovate Identity @innovate_ID: ‘What a great event congrats to @OIXUK for organisation  #econID all the thought leaders in digital identity there!
  • @drdrmc: ‘The SMEs will see #identityassurance as an opportunity to showcase their innovation adapting it into their business model.’

Video and presentations from the event are posted on the OIX UK website and over the coming weeks, additional footage will be added including pictures and illustrations depicting key points made at the conference. The “pipeline” Open Identity Exchange White Papers that preceded and followed the event are now available.

We followed the workshop in London with the second Economics of Identity event at the Gates Center at the University of Washington on June 23rd where we took on the topic of the role of “Big Data and IPR” in the value chains we described in London.  I’ll share more details on the success of that event in another blog.

We’re now building the agendas for the Economics of Identity workshops in Washington, DC on September 23rd. And the fourth event is scheduled for February 2015 in Silicon Valley with a focus on the venture capital flooding into the identity space. More details on both of these events on my blog and on the OIX site as we get closer to these dates.

Don