Honestly Speaking

In Search of Standards: Internet Identity Workshop 2008b

Published November 18, 2008 by Larry 0 Comments
Tags: CardSpace, IIW, Internet Identity Workshop, OAuth, OpenID, SAML, standards

Internet Identity Workshop

We attended the latest Internet Identity Workshop last week, held at the Computer History Museum in Mountain View, California. The self-described heart of the workshop “is a practical idealism in working towards the shared vision of a decentralized, user-oriented identity layer for the Internet.”

If that sounds geeky, well, it was. But we can be pretty geeky ourselves, and we enjoyed mingling with some of the great engineering minds who are creating and evangelizing what may be the Web’s future identity infrastructure.

One of our goals in attending the IIW was to determine what emerging standards, such as OpenID, CardSpace, SAML, or OAuth, Honesty Online should be supporting. Our experience at IIW didn’t change our answer, which is: none — yet. Two things might change this answer. One, if we see widespread adoption by end-users of a standards-based identity infrastructure for the Internet. Two — if we hear from our partner sites (current or potential) that you want us to implement an OAuth API, or OpenID attribute exchange, or some other standard that you have adopted yourselves.

Incidentally, if you’re in the Mountain View area, I recommend a stop at the Computer History Museum. Their “Visible Storage” display of classic computers and computer artifacts is not to be missed.

Honesty Online adds “Prestige” to Speed Dating

Published October 1, 2008 by Larry 1 Comment
Tags: FastLife, speed dating, Verification

The Bubble Lounge in NYC (pictured above) was the site of a speed dating event last Wednesday night. What was unusual about this event was that, for the first time, the identity of every participant was Honesty Online Verified.

The idea of a secure speed dating event was developed jointly by Honesty Online and our partner FastLife, the world’s largest speed dating and singles events service. These “Prestige Speed Dating” events target high-income professionals interested in a safe environment for meeting people.

Did the concept work? Sharlene Salazar, who hosted the event for FastLife, gave it the following review: “Way, way above average! …everybody was a little less reserved, a little more themselves.” According to Sharlene, who has hosted many non-Prestige events for FastLife prior to this one, “everybody likes to see data” — particularly in the professional demographic targeted by this event — so the fact that everybody walked in with an identity vetted by Honesty Online added another layer of credibility and exclusivity for all participants.

We look forward to doing more Prestige Speed Dating events with FastLife in the future.

Fake Friends Forever

Published August 28, 2008 by Larry 3 Comments
Tags: credential, facebook, identity verification

In “The Unofficial Facebook Blog”, author Nick O’Neill writes, “Creating false profiles of other people on Facebook has been a normal thing since the launch of the site four years ago.” He references an amusing College Humor video about creating fake Facebook profiles:

All joking aside, one could do significant personal or professional damage by spoofing somebody else on Facebook. That begs the question, how do you know your friends or colleagues are behind their purported Facebook identities? For that matter, how would you prove that your own Facebook profile belongs to you?

Facebook doesn’t offer a “verified profile” service. There does seem to be an opportunity here for a 3rd-party identity verification credentialing service. Honesty Online has looked at this opportunity. But how to build a robust solution, that is, one that provides a credential that itself can’t easily be spoofed, isn’t obvious. Our existing anti-spoofing security measures rely on close integration with the partner site offering our verification service, and can’t be directly reproduced on a neutral site such as Facebook.

So, today Honesty Online doesn’t offer an identity credential solution for user profiles on Facebook or other “neutral” (non-partner) sites. But I wouldn’t be writing about it if that weren’t likely to change in the not-too-distant future.

Buying a New Online (Device) Reputation

Published August 6, 2008 by Larry 4 Comments
Tags: background checks, device reputation, fraud detection, identity verification

Suppose I decided my computer were “tainted” and wanted to get a fresh start on the Internet as cheaply as possible. What are some quick and easy options? Well, there’s a bargain basement Dell for $299. I could consider a refurbished PC for, say, $180. Basically, I can get what I’ll call a “clean internet device” off-the-shelf for no more than $300 and possibly under $200. Overall there are conservatively over 200 million clean internet devices sold annually. I’ll get back to this economic analysis shortly, but first a discussion of online fraud detection…

Online identity verification and online fraud detection occupy roughly overlapping circles. Identity verification attempts to prevent people from misrepresenting themselves; fraud detection attempts to prevent people from misrepresenting their online transactions (e.g., using stolen credit cards).

Common approaches to fraud detection include identifying invalid attributes associated with a given transaction (e.g., a stolen credit card), and identifying patterns of invalid behavior (e.g., a user account repeatedly associated with fraudulent activity).

One relatively recent variation on online fraud-detection is to associate patterns of fraudulent behavior with internet-enabled devices. By tracking devices where fraud has originated, subsequent activity originating from those devices can be flagged as potentially fraudulent.

That leads me to an item that appeared last week on the Online Dating Insider, an internet-dating trade blog, covering a corporate blog post by a “device reputation” company that took a swipe at background check services for online dating sites. That blog post talked about supposedly how easy it is to defeat online background checks.

The problem I have with this post is that it addresses background checks in the absence of identity verification. Sure, if you don’t verify a user’s identity, s/he can give you a false identity that passes a background check. One of the strengths of Honesty Online’s Verification service is that we ask the user to check him/herself out and meet a much higher standard that requires both submitting a valid identity and proving your claim to that identity. Our Certification service, which includes a criminal and sex-offender background check, is built on top of our identity Verification service.

Seems to me it’s straightforward to defeat fraud-detection based on device reputation. You have to switch accounts and IP addresses frequently, since like other fraud-detection schemes this one includes account and location information in its fraud-tracking network. The other thing you need to do is get a clean device — a device with an untainted “reputation.” As I discussed above, there are 200+ million clean devices joining the party every year, and they’re available at prices as low as $200 or less (much less if I’m able to build PCs from parts, which I haven’t even considered here). So I’d say that’s the price of avoiding device-reputation fraud detection.

(Somewhere there’s a disgruntled former employee of this device-reputation company who knows the secret sauce behind their device-identification technique, and how — whether by swapping out the CPU, deploying the kind of “crack” that hackers use to defeat Microsoft’s anti-piracy checks, or the like — to defeat it at little or no cost.)

I welcome comments on this post from those who can explain any flaws in my assessment of the vulnerabilities in fraud-detection by tracking device reputation.

The Partner-Centric Approach: Part 2

Published July 22, 2008 by Larry 0 Comments
Tags: API, integration, partners

At Honesty Online, we recognize that our success depends on our partners. What’s so partner-centric about our approach, then?

Here are some things Honesty Online does NOT do to allow our identity verification service to be integrated into your site:

We don’t tell the user, “here’s some HTML you can paste into your profile” and then let the user worry about whether you actually allow him to add HTML to his profile on your site (you probably don’t).
We don’t tell you, the site owner, “here’s an API — maybe you can figure out how to make it useful”.

We have built a simple, well-documented API that has been designed from the ground up to allow partner sites to include Honesty Online credentials in their user’s profiles. We want both our partners and our users to have to do as little work as possible, while still delivering a reliable, secure identity-credential creation and sharing service. Here are some of the details:

Currently, our interface includes a grand total of 5 web-service calls (designed in a “REST”ful manner, for you geeks out there).
Our simple, patent-pending authentication protocol allows users to have confidence that a credential hasn’t been “spoofed” — no extra log-in or validation required of the user.
User payment can either be collected by Honesty Online or “prepaid” by the partner as part of a membership-fee bundle.
For partners that can exceed a relatively low traffic threshold, we offer a co-branded landing page.
We provide partners with images in various shapes and sizes to depict a user’s credential-status and to help up-sell the service.

What about the non-technical parts of partnership? We give partners integration help and advice, both in in the form of a Marketing Integration Guide and in phone calls and emails. We’ll provide as little or as much input as you want — from “just the API guide, please” to becoming your virtual Integration Product Manager. Whatever you feel will make you most successful.

Last but not least, through revenue-sharing, which is available to all partners, we offer a valuable premium-service for paid customers and/or “found money” from non-paying members.

It would be great to see an Honesty Online credential on every user profile on <insert social network name>. More important to us, though, is building individual communities of trust — one partner site at a time.

The Partner-Centric Approach: Part 1

Published July 8, 2008 by Larry 0 Comments
Tags: community, partners

The online identity-credentialing space could properly be described as “nascent”, but there are a few companies actively hocking some sort of verified-identity badge. What makes Honesty Online different?

I’d love to see an Honesty Online credential on every user’s profile on every dating site, social network, job-site, and personal web-page out there. But a vision for broad adoption doesn’t make us different.

What makes us different is that to foster broad adoption of a user-centric service, we take a partner-centric approach. (By “partner” I mean any site that integrates with Honesty Online to allow their users to embellish their user-profile with an Honesty Online credential.) After all, social interaction on the Internet is still organized into a mosaic of individual, more-or-less autonomous websites. The user experience within a given dating site, for example, focuses on interactions with the other users of that site. A dating site is not merely a value-add on top of some ubiquitous Internet dating infrastructure. And won’t be for some time to come.

We recognize that our contribution to online social interaction, which is to promote a community of trust, works best within a given partner site’s community. And we recognize that a successful social-interaction website has created a successful social-interaction brand. We view as a privilege the opportunity to leverage our partners’ brand by being their identity-verification service of choice.

At Honesty Online, then, we recognize that our success depends on our partners. That has shaped our entire approach to our business, from the architecture of our software to the way we help partners position identity-verification on their site. In my next post I will write more about the specific ways Honesty Online helps partners create a community of trust efficiently, securely, and effectively.

Lions and Tigers and Identity Scams, oh my!

Published June 16, 2008 by Larry 0 Comments
Tags: Certification, identity scam, Verification

Scandalous cases of identity fraud on internet dating sites are good business for Honesty Online. Here are a couple of recent cases:

A man posed as a 10-year NBA veteran and Seattle Supersonics front-office employee to impress women.
A man allegedly posed as a wealthy, Grammy-nominated music mogul, scamming multiple victims out of a combined $102,000.

When I see stories like these, I like to play a game of “Would we have given the cad a credential?” This boils down to two questions: First, did he (usually it’s a “he”) misrepresent his basic real-life identity? The NBA poseur, using somebody else’s name, clearly fails this test and wouldn’t have rated even a Verification credential from Honesty Online.

In the second case, the accused used his ex-wife’s current, and his former, real-life address in his alleged dealings with the scam-ees. No mention is made of his using a fake name or age. So, it’s difficult to say whether he would have scored a Verification (which does not include a check into one’s familiarity with Quincy Jones or Michael Jackson). We haven’t knowingly tested the service on people described as homeless — maybe that would have tripped him up. The second question is the money shot: Does he have a criminal or sex-offender background? Not surprisingly, in this case the schemer has prior convictions for theft and indecent exposure. No Certification for this creep.

As much as we like to make hay out of infamous internet identity scandals, Honesty Online’s core value proposition isn’t defending against the sleaziest of the sleazy (although that’s a useful and sale-able side-benefit). It’s enabling Joe-online-user to reassure others that his online persona matches his real-life identity. It’s promoting a community of trust within our partner sites where people seeking a relationship with others — whether that relationship is personal or professional — can hone in on those with nothing to hide.

Identity and Identity Verification

Published June 6, 2008 by Larry 0 Comments
Tags: digital identity, identity, Identity 2.0, natural identity

Honesty Online was recently the subject of a flattering post on Web2.Oh…really?. A comment on this post highlighted the degree of confusion around online identity, identity verification, and (dare I say it) Identity 2.0. By way of introduction I thought it would be helpful to put what we do, which is identity verification, in the context of these identity buzzwords.

In many circles, having and using an online identity refers to the traditional concepts of authentication (you log into a social networking site, say) and authorization (the site gives you access to your account but not other users’). Untold software developer-millenia have gone into developing systems to manage identity directories, allow single sign-on to multiple systems through one log-in, and control access to online resources such as your company’s HR forms or your personal financial information.

Until recently, online identity-management schemes concerned themselves with authentication and authorization within a single organization or system. If you were lucky, you might be a user of federated systems which, through a formal arrangement, would share your identity to enable single sign-on to each system without having to log-in each time. But the Internet does not have a universal identity infrastructure — it consists of, as Kim Cameron in his “Laws of Identity” described, “a patchwork of identity one-offs.”

In 2005, Dick Hardt gave a now-famous presentation in which he defined Identity 2.0 as a universal identity-management system that allows a user to use her identity information throughout the Internet. Identity 2.0 describes a user-centric system, where the user controls what identity credentials (name? age? location? etc.) are shared with each web site, and where identity credentials can be provided on behalf of a user by any trusted identity service — or a combination of services.

Identity management systems, whether traditional or 2.0, deal with digital identity — your presence as a unique online entity. Honesty Online verifies a user’s natural identity — who you are, and what your background is, in real life. Digital and natural identity are not exclusive. Since a digital identity boils down to an entity (a user, say) with a bunch of credentials, and natural identity is a particular set of credentials, it is possible to include natural identity as a subset of your digital identity.

Honesty Online is not trying to solve digital identity problems. We are not trying to implement Identity 2.0. But when Identity 2.0 becomes reality, we fully intend to become an Identity 2.0-compatible credential provider for natural identity — whatever technology achieves the Identity 2.0 vision of universal, user-centric digital identity. In the meantime, out of the many identity issues out there, Honesty Online solves an important one, today — allowing a user to get her real-life identity and background verified for the benefit of others online.