Long time ago my homepage (on Dragonfire) began with the sound of a modem connect followed by a slow fading splash screen that said only, "who is it?" -- it was a bad retelling of an old Zen joke and I only recall the tale today on a prod from Dale, a question he tagged to an email saying only, "what do you think of OpenID?"
For those who don't know the OpenID story, the short definition 37signals gives goes like this:
One login, many sites -- An OpenID is a single username and password that lets you login to any OpenID-enabled site. OpenID makes remembering different usernames and passwords for different sites a thing of the past.
[ OpenID: Why, how, 37signals ]
Ok, I'll confess up front, maybe I don't know much about 37signals per se, but about open federated ID systems in general? Well, if I'm not mistaken, Microsoft tried to promote the same thing, as did SixApart in their own little way. There is a need and a desire for avoiding incessant logins, no doubt about it logins are awkward and alien, a techno-bound pain and an itch begging to be scratched, but really I don't think this particular backscratcher is a solution. In fact, as I shall now explain, the unified federated login is doomed before it even got out of the gate ...
A Brief History of Federated Logins
By way of illustration, we can look at prior attempts. Drupal.org, of course, has had federated logins for ages. If you had an account on any affiliated Drupal machine, you automatically had a valid account on all federated machines. At the time, the idea seemed to them to be nifty, cool and fool-proof. The trouble was, the abuse hack was so very simple:
The every site login system only held an illusion of success because Drupal was an obscure network of predominantly low-profile geek-interest amateur sites. Drupal really didn't attract hardcore spammers until Howard Dean gave it a profile.
There were other problems too, for example, to get a login, the federated site must be both online and have the spare cycles to do the authorization, which is not a problem for most amateur demo-sites, but would be a real problem for someone like AOL. So it didn't work and it was precarious. Today most Drupal sites disable this 'feature', and nearly all drupal sites do not support 3rd-party authorization.
Any friend of yours is just a friend of yours
And then there's the whole social-software network FOAF endorsement idea, the idea that says if Jim says you're in, then I simply let you in. Like LinkedIn or the Ecademy, Ryze and Urkut that came before it, these sorts of speak-easy Who Sent Ya? gated communities sound nice and safe in principle, but in practice all it takes is one corrupt member and the whole thing comes tumbling down. I wrote a lengthy blogpost about this somewhere, maybe on Ecademy, where I observed how all social networks must leak: given sufficient membership size, all networks will inevitably attract the "power networkers" who go gung-ho for the high-score, adding everyone and anyone to their buddy-list, and suddenly everyone in the network is only one hop away from the least trustworthy of members.
Maybe worth a note here how while once upon a time you could take paper from any one bank into any other and convert it right there into ready money; today even a 'certified cheque' is considered no more secure than a cheque hand-drawn in lipstick on the back of a payslip envelope. "That will be on hold for 15 banking days ..." But, it's certified! "It could be certified by anybody, the funds will be held for 15 days." -- once any human network population gets to its threshold, trust metrics fall apart, usually for very good reasons. loose lips sink ships and there's a flapper in every crowd. Ergo, to-wit, an inherent advantage in the current scene of small fragmented communities each with its own small and trusted circle of friends. If you want an account on The Peninsular, you must be a stakeholder in that community. "Jimmy sent ya" only goes so far.
But back at 37signals, based on observations of how many tech hooks are implemented and widely deployed without forethought (eg Trackback) a wide-scale fad of federated logins is probably inevitable, no matter how badly it works. True, Microsoft couldn't pull it off, but that's because people just don't trust Microsoft (for more reasons than anyone can count) -- and this new OpenID associates itself with a quasi-AOL account -- if we recall from the domain registry wars in Geneva of the US ISP entanglements to the Total Awareness office, there's even more cause for alarm about what any self-appointed certificate authority is likely to do with the tracking data auto-generated from the use of their ID cookies, and if not today, if impeccable in their behaviour today, there are no guarantees what future directorship might do when pressed by the right pressure. To be the holder of such power, your organization would have to be incorruptible. Which lets out the state, and lets out the church -- so now we're going to give it to arbitrary tech merchant barons? Oh wait, looky here: notice what I'd already said about the trust metric and network scale ...
In a way, Yahoo! and Google already have similar ideas, although they are still stuck in the old-school idea of needing to brand all the services under their fold, and I think it is also inevitable they give up on that; so to their credit and on a plus-side, maybe 37signals can be a catalyst prompting the others to think of new models for integrating federated webbed-services, instead of everyone trying to be the One True Host for the entire world.
Let Us Compare Mythologies
But there is another reason I'm not a fan of this unified-login scheme, and this reason is non-technical in a computing/information sense, although very technical in a cognitive psychological sense.
There is a saying among cognitive (non-freudian) psychologists that, "If you want to experience Multiple Personality Syndrome, go visit your parents." The fundamental core human-factors problem with any attempt to model real-world human identity is simply that there is no 'identity' to be modelled! The 'self' is a myth.
Cognitive Science cannot locate any invariant 'I'. Even the Dalai Lama writes, "Who is this 'I'?" -- the concept is a recent philosophical construct with as many definitons and interpretations as there are practitioners of 'self'-centered thinking, and if there is any immutable and singular ghost in the machine, we have yet to isolate any one central cohesive construct that doesn't flit all over the behavioural map.
Sometimes this, sometimes that -- the 'reality' of our selves is that we are only what we are. We are different in the gardening club surrounded by grandmas and old hippies, different again when in the Linux geeks or RC-Racing hobbiests club. Assert all we might, the observational fact is that context is everything when dealing with humans. Most people live their lives within a few well-defined contexts, so until now this hasn't been much of an issue, but in the Electronic Age we can change our contexts with no more than the click of an index finger. Presto Shazzaam!
I know it is not a popular view. Our western philosophic culture jumps up and down to deny our basic and dynamic multiplicity (we being the only culture on the planet to harbour such beliefs) but nonetheless, nearly every facet of us human beings becomes changed as our context is changed. We hold to a perception of continuity in our self-presence, but it is largely an illusion, a myth of our philosophies, largely maintained by only looking when we choose to look. When we stop to observe our own behaviour objectively, all these supposed invariant personality "traits" vanish; they are the stuff of newspaper astrology and psychic fairs, or as I think it was Oscar Wilde once put it, "I am a big person. Plenty of room for contradiction"
Which is a good thing. A good deal of 'changework' therapy consists in giving the client a new and different context in which they can play with and learn new and less troublesome sets of habit patterns. Whether that is NLP or Reiki or Freemasonry or St. Ignatius or psychotherapy, the client is lead only to look in different places. Nothing else has 'changed'.
So, anyway ... let's talk about not-me
Back at our old friend the Universal ID: I have found that my basic human truth of being all these multiple who's I am now collides with my use of the new single-identity Google services: there I was, happily running several blogs under distinct and neatly defined and delimited blogger.com IDs, then POW suddenly all rules were changed, suddenly Google steps up without forethought for our human factors and presto like every other 'user' I am suddenly constrained to 'sign' all of my blogs as the one and only one gmail-mrG!
The impact was immediate. I tried my best to route around the obstruction, avoiding their increasingly frequent pleas to please unify your accounts until alas, that Day of Reckoning came and the old-school login was no longer an option. With some those blogs, it was obvious I could not continue without the security of that arms-length anonymity; I had to be only 'ratepayer' to be any one particular ratepayer would make the impartiality of the content suddenly perceived as partial. So the first problem was the not-I contexts. But then, even in the other more 'personal' genre blogs, I still sensed a sudden change in how I perceived my role, in what I felt myself that I should or should not say now that I was no longer 'protected' behind a distinct persona. I found an unnatural pull to a homogeneity, a reluctance to be that self and a pull to be this self instead.
Maybe worth recalling here how our English word 'personality' has its roots not in religions of the immutable soul, but in the jargon of ancient Greek theatre. Our word comes from their word for the masks actors wore: A 'persona' was something you put on, a tool you used to create a 'you' for a specific effect for a specific role and purpose. These singular universal login schemes deny this basic reality of the modelled domain, they feel compelled to simplify their own task by denying that the bowling-team captain and the financial-futures trader may share a body but are really and truly functionally distinct and different personae; sometimes they mix, sometimes they can also be reluctant to mix, sometimes they can be poison to mix.
Until we can address this basic reality of personal identity, all these federated schemes will find a fundamental impedance mismatch trying to map themselves to anything more than bank account sorts of data values. Yes we could do without this incessant login/password nag (a start might be to find a better word than 'login' or 'username'!) and yes, it would be nice to streamline our personal privacy management online, at least as streamlined as the privacy management we have in the real world, but right there I think I may have found a corrollary, a new Law of Computer Science to be emblazoned in school halls:
'hard to model' don't mean it ain't so
- mrG's blog
- 1250 reads
![[Cover:D&OitMK Fractal]](http://www.teledyn.com/mt/into_the_magic_kingdom/cover-thumb.jpg)
![[cover:Seal of God]](http://www.teledyn.com/mt/archives/sealofgod.gif)
Latest Updates