Liberty must focus on user privacy and experience
This starts
where my earlier discussion of the Liberty Alliance Project's approach to user-centric identity left off - with a discussion of some of the important user-centric issues that Liberty can ill-afford to ignore.
Mechanisms need to be in place to ensure that identity providers and service providers aren't able to build up pictures of an individuals activites, and so potentially compromise privacy. The Liberty white paper discusses some workarounds but further work needs to be done.
Also, Liberty must extend its focus beyond backend protocols and recognise the importance of a consistent user experience. Without such consistency an individual is likely to be confused as they interact with different combinations of identity and service providers. I am not necessarily suggesting that Liberty define a single user interface but rather that there is consistency in the dialogue, the use of interface cues etc. This is one advantage of Microsoft's InfoCard approach: an easy-to-understand credit card metaphor with a common user experience.
This was acknowledged by yesterday's presenters and Liberty does have some guidelines already, such as the
ID-WSF Interaction Service, but more work is required. One possible avenue to be explored is collaboration with the Higgins Project, given that it is focussed on standardising how developers exploit different identity management solutions. The big challenge here of course (as I discussed
here) is that Higgins is an Eclipse project and Sun, which remains wedded to its NetBeans alternative to Eclipse, is a driving force behind Liberty. Concidentally,
Paul Trevithick, CEO of Parity Communications and the project lead of Higgins, has been seeking input from the
Identity Gang's Identity Workshop mailing list on one aspect of the user experience: consistent, meaningful naming of "information card thingies".
Clearly, it is still early days but organisations who deliver Internet-based services to the public at large need to be closely monitoring developments around user-centric identity. Going forward, individuals are going to demand simpler, consistent mechanisms for securely accessing those services, where they are firmly in control, and which do not compromise privacy.
