Ourselves, Together

Aug 26, 2013

I went shopping recently...for my own identity.

TL;DR

I went shopping recently…

…for two rather specialized products, and both times came away discouraged and disappointed. The products were widely different but had one thing in common: they related to my personal identity.

The unhappy experiences, recounted below, inspired me to investigate how to create the products myself. Given recent headlines, I really don’t want my identity in others’ hands anymore.

If enough people feel the same, there are ways to reclaim our identities from various other parties that “own” them.

To be ourselves, together.

“We’ve locked in prices!”

The first product I went looking to buy was an SSL certificate for a website. It’s the unique chunk of data that puts the lock in the web browser’s address bar. It means that the link between my server and your browser is authentic and can’t be snooped.

A variety of businesses sell them, including Thawte, GoDaddy, Digicert…the list goes on. Each vendor has a shiny website, with numerous glitzy trademarked product names.

The prices ranged between 200 and 600 dollars. Per year. Ouch.

I just needed a certificate that meets a few technical standards, inexpensively. Many web developers have created nearly this kind of certificate, for free, with much the same software that the vendors use.

But when you or I create them, the result is “self signed” (the creator digitally endorses the certificates themselves). Web browsers that consume them notice that it’s only me that is vouching for myself—it could be anybody impersonating me—and they throw up big red screens or scary warnings. I needed a certificate that wouldn’t cause that.

A commercially-bought certificate is endorsed by a Certificate Authority (CA). They play two roles:

  1. They verify the identity of who buys each certificate. Sometimes a real, live person does this.
  2. They get themselves listed in various master lists of CAs. If the CA endorses your certificate, then the browsers trust you and don’t throw up the scary warnings.

Those connections makes the whole system work. They’re what we pay money for.

Do we pay too much? How would we know? It’s a complex technology that few people understand well. On top of that, vendors chop up the technical standards into their own varying product lines. How can we choose the right features and price to aim for?

Even if the commercial CAs were offering certificates as commodities or loss leaders, who are these businesses, really? Is their parent corporation Nordyne Defence Dynamics? How much can we trust them, considering how little we can readily verify about private businesses?

What if those buying certificates simply vouched for each other? They can reduce intermediaries to a minimum, create their own certificates and Certificate Authority, and get them recognized in mainstream software.

With something as important as our digital identity, we’d prefer knowing who influences it, end to end. And what the costs really are.

“That’s going to go on your permanent record!

The second product I went shopping for was my credit report. It’s, well, our permanent, permanent record, and we’re supposed to check it regularly for errors.

I took the officious route. I drove to the offices of Equifax (Toronto) and TransUnion (Burlington) to request my statutory yearly free report.

That exercise itself was a revelation. One public wicket was carved out of a second floor hallway. The other was hidden behind a basement food court. Both of them had the unique funk of the DMV about them. Remember, these are private, for profit companies who take pride in their business. As soon as they face any statutory responsibilities, they go limp like a sullen toddler.

While I waited, I thought back to establishing my credit rating as a teen. I followed the family tradition of “getting a Sears card and then cutting it up”. Essentially, to establish a credit history we often commit light fraud, obtaining a service that we have no intention of using (and incurring costs with the vendor).

It also reminded me of mortgage approval, when the banker gravely refused to show me my credit report…which was there on the screen in front of her. “The credit reporting agencies don’t allow us to show you,” was the explanation. This is information that started out as our own.

The person in line in front of me fought with the credit agency’s customer service rep for a half hour to resolve an error they found on their report. He presented proof of the error, and had paid for credit monitoring services. The rep blandly referred him back to his lender…who had stopped taking phone calls in recent days, hence his visit to the agency.

Two private companies own our economic criminal record. They resell it to our creditors, and to us. No doubt they resell off-menu products to “private” clients.

They are steadily supplanting the traditional credit report with a “credit score”, not freely available to us by law. While they fulfill their statutory obligations they take the opportunity to upsell premium identity-protection products.

How did we get such a bass-ackward system, where borrowers, creditors, and the reporting agencies have to give the silent treatment to each other, confuse one another, even evade one another? Why not just create a voluntary, mutual credit reporting system?

With the right incentives, credit reporting would be entirely desirable. A new credit reporting system would be a massive undertaking, but well within existing information processing practices. The data management and policy challenges involve the same infrastructure as digital identity products, such as the certificates described above.

If enough people work together, they can recover their credit-related identity information. As a bonus, they can refine the balance between the lenders’ and borrowers’ points of view. That can make interest rates and contract terms more efficient.

“Yessiree, everything from soup to nuts!”

I signed up for the Community Carshare last year. It works well. Then I got the MEC membership. And the credit union account. And so on…

I’ve found lots of moments to wonder “Can I get this at a co-op?”, and here is another such moment.

An Identity co-operative would sell its members identity-related products and services. Potential members are businesses, other corporations and individuals.

An identity co-operative is not primarily a social statement or charity: it would charge fees for services, pay taxes, and be a good corporate citizen. It would have offices, but probably do all business over the web. It would have staff, paid at prevailing rates, to operate the business, respond to questions or crises, and wear Hawaiian shirts on casual Fridays.

There is a wide range of relevant service offerings, “from soup to nuts”:

Soup (services we already see offered elsewhere):

  • “Private cloud”-based password storage & management.
  • Cloud-based preferences/metadata hosting.
  • SSL certificates for businesses and individuals, including service as a Certificate Authority and verifying owners.
  • Domain name registry, and registry services for new top level domains (say, .newberlin ?).
  • Analytics & reputation management services (like Klout, but with transparent methodologies).
  • Market report aggregates, essentially paying royalties to members to reuse their personal data.
  • Identity monitoring and identity theft prevention.

Nuts (newish, out-there services):

  • Anonymity services, like single-use email addresses & forwarding.
  • Online elections for government (who is more trustworthy to voters than a broad base of voters?)
  • Authentication provider (“Log in with…”, authorize many services with only one account).
  • Personal data mining, analyzing your own personal metrics (purchases, product choices) to look for patterns you can’t see on the surface.
  • Voluntary, subscription-based credit reporting system.

As in every co-operative, the policies and programs are determined by one vote per member. That’s important in this case.

The difference that makes the difference

Identity isn’t like the other things that we consume day-to-day.

It’s something we can’t buy fresh on impulse, or change with fashion, or throw away. That’s what makes it so valuable. That’s what makes it a bad fit for retail sale from private vendors, compared with commodities like bandwidth or take-or-leave products like streamed media.

Identity is scale-independent. Digital identities for individuals and big companies have similar demands and technical processes. The services in the lists above require little bandwidth compared to, say, serving media, and have self-limiting qualities.

This argues in favour of a co-operative structure. Beyond simply paying for services, a wide base of members can play an operational role in verifying each others’ identities, with an executive coordinating their communications.

Co-operation offers one unique benefit. The same members who obtain identity services choose what they won’t do to provide them. That’s a huge innovation. It neutralizes the incentives to leak or misuse personal information.

Digital identity will only get more complex. There’s safety in numbers, cryptographic and otherwise. An identity co-operative would spread out the costs of advocacy. A dedicated agency creates laser-focused messaging and active industry participation for pennies a day, where isolated individuals make anecdotal, vague complaints.

But would it surprise Oprah?

Kitchener/Waterloo/Cambridge is on edge over BlackBerry’s future. We’ve gotten used to the perqs of having a world-leading brand for a neighbour. As the tinder sputters, we hope that the kindling has lit.

When Oprah was enthusing over BlackBerry, RIM was clearly selling “Difference”, not “Price”. All the elements RIM offered were available elsewhere, but not in the same mixture. RIM’s formula was an existential solvent, abruptly reshaping our lives in (often) beneficial ways.

Everybody else entered RIM’s wheelhouse. RIM slowly switched to selling “Price”—the same mobile zeitgeist, done better—and so did everybody else. The results are before us.

Our startup scene seems focused on “Price”, too. As is happening in so many other places, they’re turning IP into algorithms and branding, they give it a public beta, and hopefully monetize or flip it. Is there any “Difference” in each new bundle of acronyms and catchy moniker? Would our stables full of web and mobile startups surprise Oprah?

Today the market is exploring the underlying incentives that motivate entrepreneurship as much as the technology it uses to makes shiny gadgets and websites. After several boom-and-bust cycles brought on by aggressive wealth generation, a focus away from returns is a breath of fresh air, in many ways. There is “Difference” in the contemporary impulse that drives people to credit unions, to car and bike shares, to crowd-funding.

The idea of an identity co-operative is a surprise. From my experience with other co-operatives, they can offer their members a feeling of “too good to be true”. This feeling can be a little unnerving and take time to accept, like the idea of having your emails in your hand.

Kirk Zurell - @kzurell - Kitchener, Ontario.


TL;DR

I tried getting an SSL Certificate and my credit reports. In both cases, something just wasn’t right: the vendors had incentives that were at odds with mine.

So I thought, “why not allow those who buy personal and online identity services to produce them as well?” Answer: a co-operative. We already use them for a variety of more commoditized products and services, why not for something a little more crucial?

It’s especially important to this proposal that identity is scale independent: a company with thousands of employees has many similar identity management needs to an individual or small business. It’s also a wise idea that identity be more mutual, and co-operative structure encourages it.

KWC might need to refresh its own zeitgeist in the near future. Besides bringing technology companies to life, we can look at other differences to cause new surprise and delight around the world.

When asked “what kind of think-tank should we have here”, I suggest an organization devoted to promoting online identity. K.