Identity 2.0

An open-source identity management system could change the way we share personal information over the Internet.

The Internet can be dangerous. It wasn't designed to safeguard important information -- such as people's social-security numbers, home addresses, or bank-account information. Because of this lack of built-in security, the task of managing private data has fallen to a host of private entities: banks, credit-card companies, online merchants, insurance companies, and the like.

Recently, however, software engineers and policy makers have been designing a new layer of security for the Internet. The goal is to free up identity information from organizations and companies, and also allow individuals more control over who sees their personal information.

Last week, IBM and Novell announced they would supply programming code to an open-source software initiative -- a project that could become the framework for people to transfer personal information securely, from credit-card and social-security numbers to eBay ratings and instant messenging "buddy" lists.

The project, named Higgins, is managed by the Eclipse Foundation, an open-source community. In fact, it's the first identity management framework to use the open-source software model, in which anyone can contribute software code. Higgins aims to "provide a simple way for multiple identity management systems to interact," says Mike Milinkovich, executive director of the foundation. IBM is expected to roll out software that incorporates Higgins technology within the next year or so.

One "identity management system" that Higgins might interact with is Microsoft's recently announced InfoCard, which will be integrated into its new Vista operating system. InfoCard exchanges user-specified information with authenticated parties, allowing people to be less dependent on multiple user names and passwords. For instance, an InfoCard, which could be linked with various existing banks or credit-card companies, might contain your name, address, and account number. If you wanted to purchase a book at Amazon, the relevant information from your InfoCard would be supplied to Amazon (an InfoCard- and user-authenticated party). Since you wouldn't have to re-enter your information on Amazon's website, it would also reduce the chance that it could be stolen.

Kim Cameron, architect of identity and access at Microsoft, considers the current identity situation on the Web -- with its passwords, cookies, and auto-complete forms -- to be a "patchwork of one-off and ad-hoc identity contraptions." InfoCard and similar management systems will help, he says, to add a secure layer of identity to the Internet.

Higgins will complement rather than compete with InfoCard and other management systems, says John Clippinger, a senior fellow at the Berkman Center for Internet and Society at Harvard University. Although the two systems share the goal of managing personal information, Clippinger makes a distinction: "Higgins is not an identity management system at all. It works with [those systems]; it overlays them, and part of its value is a way to federate different identity management systems." In other words, Higgins could allow people to control and transfer different types of identity information.