The Liberty Alliance: Circle of Mistrust
After almost a year of work, the Liberty Alliance (http://www.projectliberty.org) launched its first set of specifications, giving users simplified sign-on to Web sites from any platform or device as well as federated identity across multiple systems. The Liberty Alliance, led by Sun Microsystems, features an enterprise-heavy membership roster, including General Motors, Sony, American Express, United Airlines, Nokia, and dozens of others.
The idea behind Liberty is relatively straightforward, and is best illustrated with an example. ABC Airlines and XYZ Car Rental Company decide to create an affinity group, or “circle of trust.” Mary is a frequent traveler and has accounts on both ABC’s and XYZ’s Web sites. She logs into ABC’s Web site. Her welcome page prompts her with the following message: “You may share (or federate) your ABC online identity with members of our affinity group, which includes XYZ.” Mary likes the idea, so she gives her permission thereby opting in to the federation. Mary then purchases her plane ticket, and goes to the XYZ site to rent a car.
The XYZ site recognizes her as a member of the ABC affinity group, and presents her with this message: “We see you’re logged into the ABC Web site. Would you like to link your XYZ online identity with your ABC online identity?” She again gives her consent, and then must log into the XYZ site. Once she successfully logs in, the federation of her identities on the two sites is complete. In the future, when she goes to either the ABC or XYZ site, she need only log into one and she’s automatically logged into the other. Logging out of either site may also log her out of the other. In addition, when she logs into one of the affiliated sites, say the ABC Airlines site, it automatically recognizes that she is a member of the affinity group, which means in can display a “rent a car” link, or offer Mary a cross-promotion that leverages her membership in the affinity group.
Behind the Scenes
The essential piece of machinery behind the Liberty Alliance spec is the user handle. A user handle is a sequence of characters that identifies the user to each pair of parties in the circle of trust. User handles are opaque, which indicates that a user handle as meaning only to the two parties that federate their users’ identities. The user handle is meaningless to anybody else, and it does not contain any personal information about the user. It simply indicates that Mary in ABC’s system is the same person as Mary in XYZ’s system.
When Mary first decides to federate her two identities, ABC and XYZ are in a quandary known as the introduction problem. When ABC passes Mary’s user handle to XYZ for the first time, XYZ won’t recognize it. ABC must provide additional information to XYZ that will convince XYZ that the user handle is one that it should accept. Liberty solves the introduction problem by using a third party Web site it calls a common domain service. In our example, think of the common domain service as something a travel industry consortium might offer to all the members of ABC’s and XYZ’s circle of trust. The common domain service writes a browser cookie on Mary’s system that both ABC and XYZ can read. This cookie serves to provide the introduction that XYZ needs to recognize the user handle from ABC.
Liberty’s Fatal Flaw
The problem with the Liberty Alliance specification is one of perspective. The software vendors and enterprises that put together the spec did not adequately put themselves into users’ shoes. They mistakenly assumed that making user federation an “opt-in” process, coupled with the opaque user handle and secure protocols, would be sufficient to address user concerns about privacy. ZapThink doesn’t agree. Companies abuse of “opt-in” email marketing and illicit sharing of private customer information has made permission marketing a sad joke — and opt-in federated identity promises to be the same, only worse.
At the crux of the opt-in issue is the fact that Mary’s choice to opt in to the ABC/XYZ circle of trust is an all-or-nothing affair. Once she gives her OK, that’s a license for both ABC and XYZ to actively market to her, or more importantly, share her vital private information with each other — whether she wants that to occur or not. Sure, XYZ may not choose to flood Mary with promotions, but once Mary opts in, she no longer has control of how XYZ markets to her — XYZ does. Also, Mary may not want XYZ to know about the preferences, purchasing patterns, or personal information she has provided to ABC, but ABC may share that information with XYZ nonetheless.
Keep in mind that each circle of trust must have at least one common domain service. What’s to stop a common domain service from acting as a customer information clearinghouse — exchanging private data about users with every member of the circle of trust? The answer is what the Liberty spec calls an operational agreement. But according to Liberty (and we’re quoting here): “Operational agreement definitions are out of the scope of the Liberty Version 1.0 specifications.” So, maybe a future version of the spec will address this fatal flaw — especially if consumers demand it.
While officials at the Liberty Alliance claim that companies in circles of trust exchange nothing but user handles in version 1.0 of the spec, they do acknowledge that personal information will be part of the version 2.0 specification. This acknowledgement leads us to wonder just how much control users will have over their private information. Relying on companies to safeguard individuals’ privacy is an ethical and technical quagmire that has caused many companies — such as online advertising company DoubleClick — tremendous difficulties.
ZapThink believes that users should have a say in how companies use their personal data — on an item-by-item level. Users should also have the final say on how companies market to them. The Liberty Alliance should go back to the drawing board and develop a more user-centric specification, maybe by taking advantage of the work that the Platform for Privacy Preferences Project (P3P) has done. Sure, users will appreciate the added convenience of logging into multiple sites at once — but not at the price of more spam or invasions of their privacy.