App developers
2011-06-10 17:06:11.397848+00 by Dan Lyke 3 comments
App developers: Assume that I have multiple identifiers and personae, and that identity is your notion of me.
2011-06-10 17:06:11.397848+00 by Dan Lyke 3 comments
App developers: Assume that I have multiple identifiers and personae, and that identity is your notion of me.
comments in descending chronological order (reverse):
#Comment Re: made: 2011-06-10 23:22:46.598523+00 by: Dan Lyke
So this first became clear to me when I bought a road bike.
I'd had a mountain bike for years, bought from Sunshine Bicycles in Fairfax. Every once in a while I'd go back in for a new helmet, or to buy a derailleur 'cause I'd sheared one off, or to get my rims beat back into shape. It wasn't an expensive bike, I'd beat the living daylights out of it, fix it up cheaply, and go back and beat it up again.
I bought a tricked out Cannondale road bike, used, for 3 or 4 times what I spent on my new mountain bike. Tried to go into Sunshine, but they treated me as the same person who brought them the mountain bike; how can we get this bike back and rolling cheaply, not how can we tune this fine piece of machinery so it clicks and hums at speed.
Eventually I had to choose another bike shop for my road biking. What I wanted was to use my bike as an identifier, and be treated differently when I came in with the road bike vs the mountain bike. In practice, my face was the identifier.
And my identity was relative to the bike shop, it was how they treated me.
Now on to Google. I have 5 to 7 different ways to log into Google services. OpenID, GMail, a couple of different Google Apps email addresses, etc.
Within those identifiers, I want to present a few different personae. There's a pseudonym, there are at least two email addresses I use for different things, etc.
What I'd like is the ability to attach those identifiers to a given identity, what Google knows about me, and to switch between a couple of different personae.
Google actually doesn't suck in this front. At least they haven't tried to automatically collapse my identifiers and personae into an identity.
Yahoo, on the other hand, has. I signed up with AT&T, Yahoo attempted to collapse all of my Yahoo related identifiers into one, attached to my Yahoo identity, and got it wrong. Worse, I then canceled AT&T, which irrevocably fucked up my Yahoo identity. I now can't log in with any identifier. I'm now attempting to rebuild it using a Google owned identifier.
Not understanding the difference between the identifier, the identity, and the persona has cost Yahoo my use of a bunch of their services.
At Google, where I have legitimate reasons to use multiple identifiers I'd love it if there were the ability to collapse it into a single identifier, but expose multiple personae (ie: switch between which Google Apps email address I was logged into quickly and easily). Instead I use multiple browsers to manage this.
But it's a level of thinking about this stuff that I haven't seen yet in the identity community, and in the privacy community they're still confusing identity with identifiers and personae.
#Comment Re: made: 2011-06-10 21:10:52.398377+00 by: Larry Burton
I have no less than six cards in my pocket right now that can be used as ID. Online I have three email accounts that I use for various purposes plus a few dormant ones that have been used as identifiers in the past. I've run into way too many applications that would treat each identifier as a unique person with no way of combining any of those identifiers so that it would recognize any of them as referring to me. There are times that I'd like to be multiple people but there are also times I'd like to combine those identities. App builders should never assume that I only have one of any type of credential.
#Comment Re: made: 2011-06-10 19:34:44.040851+00 by: Jack William Bell
It isn't clear where you are going with this. Please expand.
Note: for some time I have been toying with the concept of an 'Anonymous Identity'; i.e. an identity that only one person can use, but which cannot be traced back to that person. As it turns out, this is a non- trivial problem! Even leaving out the 'cannot be traced back' part, how do you keep a third party from using the Anonymous Identity and pretending to be the actual owner of it?
Even tricks like distributing public signing keys are problematic. Where can you put those keys so that they are safe from tampering, but long lived? And, if the keys can be changed by a third party after the fact, the Anonymous Identity can no longer be used by the original owner.