State problem(s), Too many identities. Identities are not interoperable
Too many bloody identities! Most websites and tools require you register and create a new identity. People using a password safe may have 100s of identities to manage and it is only getting worse. And people often have multiple email accounts. Worse, people think they know what your identity is for a product that you have spent ages agreeing on for your collaborative project, and then send the invite to the wrong email address, so you end up wasting even more time. And then there are the identity mysteries: How does platform XYZ know my email address when I have never even (knowingly) registered on that specific platform?
Slack requires a new identity for every slack group. Some users default to using the same email and password across accounts, thus defeating to point of having these separate identities. Institutional ID, Microsoft ID - how do they relate to each other? It’s easy to get confused about which password and username to use. Many commercial services don’t consider that you’re signing up on behalf of a group of colleagues e.g. twitter, eventbrite, mailchimp - it means if you leave the account access may be lost. Company acquisitions create an interesting identity problem: you thought you signed up for Lynda.com, but when Lynda got acquired by LinkedIn, LinkedIn also hoovered up Lynda user accounts. The result: instead of having one LinkedIn account, previous Lynda users now also have a new LinkedIn account (that’s not linked to their original old LinkedIn account). How many people even realise this? Just to make things even more interesting, Microsoft then acquired LinkedIn. I wonder what that means for user identities: do we now also have yet another shadow profile on Microsoft? Another similar issue is the ‘addressbook rape’ - the thing where your friends start using a service or app and unknowingly release the contents of their addressbooks to this third party that you have no intention of ever using. How do you control identity and access management beyond the boundaries of your institution? Cloud services are mostly commercial, it’s difficult to be sure of data protection issues, and you don’t know how secure they are. Sharing options are usually pretty limited to read or read and write on an individual basis. Confusion between online identities isn’t helped by services making assumptions about who you are based on tracking data
Current options from service providers:
- Services should not require identities from users. Socrative, PsiPred Worbench, PubMed, Etherpad, anonymousFTP. People providing services should exam closely whether an identity is needed to use the services.
- Services create secret identities of users on the web this is a schieved with cookies; i.e. Google. Appears anonymous but a browser fingerprint is used to uniquely identify you.
- Service lets you use an identity you already have (facebook, google, Office365, OAuth). Many appreciate the convenience. Some can be uncomfortable with this as they wish to be more anonymous
Options for users:
- Use separate browsers for work and personal stuff
- Buy a burner phone for signing up to services
- Use ingocnito mode in browsers
- Link accounts when you are comfortable.
- Old business idea: online identity provider - works like Facebook, but you pay 1 a month for a service that doesn’t try to sell your data
- [OpenID]((https://en.wikipedia.org/wiki/OpenID) and OAuth could help cutting down on having too many identities