We need a strong Internet Identity Framework, NOW!

This is a little bit of a rant, but read this article in the New York Times and you may understand why. It is difficult to get past the feelings of disbelief, outrage and anger that the tragic story of Megan Meier will stir inside you. But if you somehow manage to move past it and think about the implications, it becomes clear that there are some pretty important things that we (the identity community) need to work out, and fast.

Most of today’s social web applications (like MySpace and Facebook) are persona-based, not identity-based. What I mean is that these applications don’t really care about who you are, they only care about letting you be what you want to be within their context. So, it is not surprising that a 47 year old woman was able to pose so devastatingly as a 16 year old boy, because in essence that is what MySpace was built to be – a way to express a persona of your choosing.

Why don’t these applications, that know the kind of impact they can have (we all understand the threat predators pose online) on a persons life, care about who you really are? Because, bluntly put, they can’t. It is not possible for them to do that in a scalable, cost-effective manner. The lack of a solid identity framework for the internet prevents these applications from being truly identity-based. We have seen a push towards heavy-handed identity verification mechanisms (see my earlier post about identity verification in Second Life), but those solutions are so costly (time, infrastructure, cost) as to be impractical for most web applications. This kind of model will effectively curtail the free-wheeling collaborative spirit prevalent in the current generation of internet apps, and throttle innovation. If you had to stand in a line somewhere for 4 hours, and had to show your passport to someone, just so you could sign up for a Twitter account, would you?

A one-size-fits-all approach is not the answer. The correct solutions in life only come from taking a balanced approach to the problem. Nothing is more annoying to me when adding a Facebook app than being
required to check the box agreeing to share my information with the
app, even though I know that it doesn’t need any of it, and most likely isn’t using it at all. Consequently, I avoid adding those apps unless I really want to.

This is where pieces like Bob Blakely’s Identity Oracle, the Identity Services model, Burton’s Limited Liability Persona, the IGF and user-centric methodologies have to all fit together. We do need strong identity verification mechanisms, but we shouldn’t need to go through that for every single site we want to use. Indirection is the solution to many a problem, and the right identity framework for the internet is the necessary thing to have this identity verification feed into a platform level identity that multiple applications can build on.

This is also needed as a necessary step to support pseudonymity online. The goal of an identity framework is not to prevent people from creating online personae that are
divorced from reality. It is to give applications the ability to create
suitable boundaries within which such a persona can be created. Using this,
an application like MySpace, where the identity consequences can be so
devastating, can choose to, for example, prevent people whose identity
is in the 30+ age group from creating a persona that is in the 10-20
age group.

Like so many things in modern life, we have gotten immune to all the horror stories of online predators. Until a story like this comes along to remind us that these are important things that we are working on, and we need to get it right.