How Facebook is changing the world of identity

Okay, so the days of questioning the impact of social networking websites on our digital lives is long gone. But the nature of the impact is still being understood, and this is producing some interesting findings. While the world of sociology is trying to make sense of the seeming divide between Facebook and MySpace users (see ), it is the world of identity and privacy that is seeing some interesting side effects. We all know how concerns about child predators on the web is leading to potential litigation on the need for identity vetting by social networking sites. But the recent opening up of Facebook to the public seems to have let loose a barrage of investigative reports. Two recent articles about Facebook caught my eye:

• Facebook demonstrates that opt-out privacy does not work.
• Fears over Facebook identity fraud

Both illustrate how the world that identity management operates in is changing rapidly, and that IdM needs to keep up.

The first article clearly points to the behavioral patterns that those entrusted with protecting users identity and privacy should understand. You can’t rely on users to protect themselves when they don’t know that they are at risk. Teenagers growing up with these technologies will have an inherent trust in these systems, and so the technology must learn to empower the user, not by giving them enough rope with which to hang themselves, but rather by giving them the right controls to determine correctly how they want to handle their information. In other words, adopt a more user-centric model (boy, I can hear the flames coming for that one).

The second article points to a far more subtle but important fact of digital life. The nature of “identity secrets” is changing. Once commonly accepted secrets for verifying a persons identity (like “mothers maiden name”, “city you were born in” or “the first car you ever drove”) are no longer secret in the age of blogging and tell-all MySpace pages. Bob Blakely put it out there pretty bluntly in a talk he did at Catalyst called The End of Secrecy – “You have no secrets anyway, get over it”. While he was talking about the nature of privacy, it also applies in a much more mundane way to the identity systems in play today – reliance on the same old model of individual secrets is not only passe, it is downright dangerous.

The new model being proposed nowadays is commonly encapsulated in the phrase “What I Have, What I Am, What I Know“. What I Have usually refers to some kind of strong authentication token (smart card, token, USB key). What I Am is an extension of the previous in the form of some biometric identifier (fingerprint, retinal scan, voice recognition). What I Know is a secret (password, PIN, mothers maiden name). As can be seen, the model still relies on a secret, but that has been bolstered by two other factors of authentication. While this is good enough for now, it does seem that new techniques will need to be discovered as increasing computation power and better technology weaken the other two factors over time.

Who knows, maybe the next big thing in identity management will be behavioral pattern analysis (“What I Will Do“) as a form of authentication (see the work being done at the University of Ottawa on a technology they call 3D Password).