My first Internet Identity Workshop this week. First morning busy getting going; helping out Dawn Jutla with her presentation of the new OASIS technical committee, “Privacy by Design for Software Engineers”; and attending a regular conference call for the Management Council of the Identity Ecosystem Steering Group – together with several other participants here who are also members.
After lunch, another view – “Death to NSTIC”, despite its irreverent title, was a serious examination of the major risks that the new strategy – along with the organisation, IDESG, set up to deliver it (and on whose Management Council currently sit…) – will have to face up to.
After a brainstorm of possible risk areas – and there are many – we held a straw poll among participants and two key risk areas stood out head and shoulders above the rest.
The first, maybe surprisingly, is that the “user experience” is too hard. Surprising, that is, until you unbundle some of what it covers: people forced to user interfaces and online systems that they know are flawed or insecure and, to cap it all, are held responsible and liable for the consequences; the relative difficulty of creating a trusted and secure interface and the relative ease with which it can be hacked and subverted; the obsession with “strong” passwords that are actually far easier to hack than intuitively simple to use passowrds that are very difficult to hack; the obsession with passwords, tout court (the longest surviving paradigm of the computing era, having been first used in 1961).
The second issue was more vaguely defined and yet commonly supported: the (perceived or real) misalignment of economics, public policy, technology, and culture. There are similarities with my “magic triangle” model for identity which requires finding the sweet spot between what is technolgically feasible, politically desirable and socially acceptable but it goes further.
A major factor is the absence, or rather misalignment, of liability models for the identity ecosystem and the danger that the model developed is too rigid – with a result that any local failure could have a domino effect and bring down large parts or the entire ecosystem (a theme that we returned to in another session later in the week, ‘A Whiter shade of grey’).