An open-source identity management system could change the way we share personal information over the Internet.
The Internet can be dangerous. It wasn’t designed to safeguard important information – such as people’s social-security numbers, home addresses, or bank-account information. Because of this lack of built-in security, the task of managing private data has fallen to a host of private entities: banks, credit-card companies, online merchants, insurance companies, and the like.
Recently, however, software engineers and policy makers have been designing a new layer of security for the Internet. The goal is to free up identity information from organizations and companies, and also allow individuals more control over who sees their personal information.
Last week, IBM and Novell announced they would supply programming code to an open-source software initiative – a project that could become the framework for people to transfer personal information securely, from credit-card and social-security numbers to eBay ratings and instant messenging “buddy” lists.
The project, named Higgins, is managed by the Eclipse Foundation, an open-source community. In fact, it’s the first identity management framework to use the open-source software model, in which anyone can contribute software code. Higgins aims to “provide a simple way for multiple identity management systems to interact,” says Mike Milinkovich, executive director of the foundation. IBM is expected to roll out software that incorporates Higgins technology within the next year or so.
One ”identity management system” that Higgins might interact with is Microsoft’s recently announced InfoCard, which will be integrated into its new Vista operating system. InfoCard exchanges user-specified information with authenticated parties, allowing people to be less dependent on multiple user names and passwords. For instance, an InfoCard, which could be linked with various existing banks or credit-card companies, might contain your name, address, and account number. If you wanted to purchase a book at Amazon, the relevant information from your InfoCard would be supplied to Amazon (an InfoCard- and user-authenticated party). Since you wouldn’t have to re-enter your information on Amazon’s website, it would also reduce the chance that it could be stolen.
Kim Cameron, architect of identity and access at Microsoft, considers the current identity situation on the Web – with its passwords, cookies, and auto-complete forms – to be a “patchwork of one-off and ad-hoc identity contraptions.” InfoCard and similar management systems will help, he says, to add a secure layer of identity to the Internet.
Higgins will complement rather than compete with InfoCard and other management systems, says John Clippinger, a senior fellow at the Berkman Center for Internet and Society at Harvard University. Although the two systems share the goal of managing personal information, Clippinger makes a distinction: “Higgins is not an identity management system at all. It works with [those systems]; it overlays them, and part of its value is a way to federate different identity management systems.” In other words, Higgins could allow people to control and transfer different types of identity information.
The potential of Higgins becomes clearer if one compares the offerings of different identity management systems. InfoCard solves one of the biggest security issues on the Internet, says Dick Hardt, CEO of Sxip Identity, a firm that sells another management system, which helps users protect themselves from identity theft. “[Microsoft has] built something that’s highly isolated and secure.” But, Hardt adds, you don’t need InfoCard’s security power to move around, for instance, your Amazon DVD preferences to Netflix – that’s something Sxip software is designed to accommodate. Higgins would connect together both of these systems, so the user would be unaware of having multiple identity systems.
In order for Higgins to work well with highly secure applications, such as InfoCard, as well as in less secure environments, it needs a high level of security itself. Being an open-source application helps achieve this, says Raj Nagaratnam, chief architect for identity management at IBM. “The open source model allows for hundreds of thousands of developers…if there’s vulnerability, they will fix it and continually build the platform.”
And Higgins addresses more than just the idea of secure software for identity management, Nagaratnam says. “The reason we went to open source is because this problem isn’t just a technical issue, it’s about how end-users want to actively manage their identities. It brings in social aspects of how users want to collaborate.”
In fact, Harvard’s Clippinger expects that Higgins could eventually help people go beyond simply managing their individual identity information – and toward establishing user communities based on a framework of trusted identities. It could be similar to the way eBay allows users to create markets and communities around common interests. For instance, a person in an eBay community could share selected information with people in groups at Yahoo, Clippinger says.
Helping to develop trusted communities is an important goal of the Higgins project, agrees Milinkovich of the Eclipse Foundation, and it’s fundamental to the open-source community as well. “I think it’s very important that these kinds of identity management systems be done in an open, transparent, and vendor-neutral way,” he says. “This area of technology is far too important for individuals and society at large to be left to any one vendor. The greater the transparency, the greater the trust.”
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today