Social Software is turning the idea of identity on it head.  Actually this is a trend that has been happening for long time, but it is being thrust into the public consciousness by the desire now to bring social systems into the enterprise: ESS.  It used to be that on the Internet nobody knows you are a dog), but that is changing.  What they do know is your reputation, which becomes your identity.

Old: Centralized Identity Control

In former years, a person would get a user id by being assigned an id by some sort of administrator.  When joining an organization, you were assigned an employee number for tracking purposes.  Your email address was assigned, usually based somewhat on your legal name, but only if that was available.

The idea that an identity had to be assigned by the organization was entirely normal.  The idea that you might bring your own id to an organization was strange and unsettling.   After all, if you were to gain access to a locked room, you would have be to given the key to the room;  nobody would expect you to bring your own key to unlock the door.  I don’t mean to confuse the concepts of access and identity here, but simply to give an example that we way we think about things is strongly influence dby the physical world we grew up in, and web 2.0 has turned some of these concepts upside down.

The problem with centralized identity: the IT administrator is a bottle neck causing a huge barrier to use.  An administrator knows that creating a lot of IDs means potentially a lot of work later cleaning them up.  It also is the case that more IDs mean more possibilities that someone is accessing the system, and potentially causing problems.  The administrator has every reason to try to keep the number of users in the system as small as possible.  People with a “casual” or “transitory” need to access the system generally find it too much trouble to gain access, and give up.

Newer:  Web & Social Software Decentralize Registration

Starting with ecommerce sites in the late 90’s, and expanding to just about all sites today, you can sign up for an account yourself.  Click the register button, receive and respond to an email message, or otherwise prove you are human, and you have a new account.  What has been done is to entirely automate the allocation of accounts.

Social network software decentralized the granting of access.  Individuals identify “friends” or “contacts” and give them access to their information.  In some approaches access is dependent upon how closely connected you are in the social graph.   We all know how this works, but you still have to get an ID for every context.

Newest: Bring Your Own Identity

Many sites now allow access based on your Facebook, Twitter, or other verifiable identity sources, effectively providing a single sign-on (SSO) capability: log-in once, and access many sites.  Open ID is an open way to do this;  Facebook connect a strong contender.  I have written several time (here and here) on how this is important for social network interoperability.

You share more than just the id and password.  Using Facebook you can “like” things on many sites, and in many cases parts of the profile information can be shared, but the most important aspect is that on all these sites you are appearing as a single identity, and actions done as that identity on one site can be correlated with actions by that identity on another site.

Will the Enterprise Accept this?

The biggest barrier at this point to a universal ID is the acceptance by the current generation of IT administrators.  Should the corporate purchase system to opened by someone’s Facebook identity?  One might ask “why not?” but the burden of proof is in the other direction: “why should access be allowed this way?”  Clearly a single ID is a great convenience to the user, but in a job situation where one is required to use a particular system, convenience is of little consequence.

Inability to access systems is a major barrier to collaboration within the enterprise.  It is very difficult to centrally administer a large number of systems to all have uniform access mechanisms, and at the same time assure proper access control.  In my organization I have at least 24 different id/password accounts for accessing internal systems, because these systems are administered by many different parts of the organization.

Identity and Reputation

Michael Gotta wrote a nice piece called “Don’t Think Profile, Think Identity“.  He also has a 10 min podcast on how identity is socially constructed called “Employee Profiles & Social Network Sites.”  He recognized four main phases:

Formal identity granted by an organization: You were given an employee number, a cost center, mailbox location, etc.  This is not really a person’s identity, but it is identity applied to them by the organization that surrounds them and controls

Identity Claimed by the employee: New opportunity to use social approach, and allow people to “claim” their own identity.  A lot of organizations hit a road block on this because employees have not had to provide their own identity, skills, and other information relevant to their work.  The employees are not quite sure how this will be used, and not sure what is in it for them.  Call it a profile, but in fact it is better called a persona.  There can be a (1) picture – first time employees have the chance to control how they are seen.   Interests, hobbies.

Identity performed by the employee:  How do you validate or vet the claims?  We perform our identity by the history trail of what they have really done.

Identity reciprocated by others in the organization:  Validation of performance by others.

It got me thinking about 1995 when I had a series of conversations with Randy Farmer in the subject of identity.

Tripartite Identity

Randy Farmer and Chip Morningstar were working at Fujitsu in the early 1990’s because Fujitsu had somehow acquired the online virtual community Habitat, and was creating an updated version called Worlds-Away.  Randy explained that identity means nothing until someone invests the time to build a reputation.  One might, and should, have several identities as long as you have the desire to invest in the reputation of each.  At first the idea of multiple identities strikes one as dishonest, but further thought shows that it is not, and it is a lesson I have thought about in the years since.

Recently, he has been advocating “The Tripartite Identity Pattern“.  This is the idea that you might have multiple login ids, multiple public ids, which are tied together by a key call the account identifier.

• The account identifier is nearly invisible.  It is needed for engineering reasons.   Different systems can have different values for this, but within a given system as a unique and permanent key.
• The login ids are what you use to authenticate to the system. It used to be that every system required you to create a single  login id specific to that system, but increasingly today you are seeing systems that allow you to use your email address or your OpenID to login.
• The public ids (also called Social Identity) are the most interesting part of this proposal.  These are the outward facing identities and allow you to show more than one face to the public.

Together with Bryce Glass, Randy released a book called “Building Web Reputation Systems“.  He also runs a few blogs.

Conclusion / Summary

Any cloud based software, or Software-as-a-Service, that requires an administrator to set up an account for you, is a dinosaur ready to be wiped out.  That mode of assigned ID will disappear from all except for mandated organizational systems.  Useful optional software, as well as forward thinking utility software, will leverage identies that people bring with them.  We see this trend rapidly expanding.

This separates identity from access, and leaves us with a similar problem:  how do you know who a person is, and that revolves around reputations.  Reputation support is new, and problematic, yet hold the promise of being able to have groups of people who self-manage their membership even in critical resources.  Trolls are ejected from the groups without an administrator needing to be involved.

Adoption for this sort of thing will be slow in the enterprise space, but those companies that want to be in business 10 years from now had better start planning for this change.