Test Market for Identity Services and Policy

Yesterday I went to the Internet Identity Workshop at the Computer History Museum to explore one question -- if you had a test market where identity standards, infrastructure, user preferences and adoption where in place, what kinds of policies and identity services would emerge? 

I hinted at this question in a recent blog post, something I'm attuned two because of two facets of my identity: my work in the technology industry and some connection to Estonia (aside, my blog post was linked to by Estonia's largest weekly).  But the question is interesting for two reasons:

• it leaps past the current concerns of the identity community of competing standards and adoption
• it is a very real short term future in Estonia

With 1M Estonian eID smart cards, GSM SIM cards and open.id.ee in beta -- 80% of the population has adopted identity infrastructure from the top down.  With OpenID enabling internet identity, support from Microsoft, Google and many Web 2.0 startups, and spawning further collaboration such as Oauth, the potential for innovative identity driven services is significant.  The first phase of identity driven innovation in Estonia has yielded 89% of banking transactions online, 80% of tax returns filed electronically, legally binding eVoting, and mobile payments. Identity is the missing layer of the internet and now there is a little country that could help innovators leap ahead.

So if you assume this short term future, you get to to imagine new internet identity services for testing in a real market.  You also get to think through policy considerations.  Government and regulation will inevitably be involved with internet identity, especially where the trust relationship between citizen and state provide the basis for it.  Even when the state provides the basis of identity, there will be other means to establish it on the net, a diversity that creates its own check and balance.  Some people, particularly in the UK with its recent privacy breach, resist the natural role of government in identity.  To do so not only is a barrier to constructive conversation with lawmakers, but it ignores the existing body of law around identity in the real world.

I was chatting about this with Doc Searls and he recounted a breakfast conversation with Iain Henderson, whom I met later that day.  From Doc's IM:

Government sees two categories of data, especially identity data -- public and private. As in public sector and private sector. But there is also a third: user-originated. He [Iain] believes the majority of data government care about in ten years will be generated by individuals, as the point of origin, and also as the point of service integration.  An analog to the multiple-silo problem is the fact that governments tend to see individuals as a collection of silos as well. There is no integration between health services, civil defense, taxation, social services, education and the rest of it. The individual needs to be equipped to be the point of integration from the data standpoint, and the point of origination for service requirements. That goes for relationships with both government and business. This is the essence of VRM, and where VRM and identity meet.

Later in hallway conversation with Doc and JP Rangaswami, JP described the need to shift the focus from data (can I get my identity data in and out from a service provider?) to relationships.  He pointed out that the relationship you have with your lawyer or doctor is privileged by law so you have greater trust in sharing your identity.  Identity relationships exist between citizen and state, citizen and firm, firm and state, and firm to firm.  The last two hold the greatest concerns.

When you assume identity infrastructure and adoption, you can explore these policy questions.  Individuals will originate an increasing amount of identity data.  Could letting individuals have control over their identity relationships yield better data?  Could it even be a human right in the digital age?  What can we adapt from the seven laws of identity into real law?  Could mandating personalized disclosure statements provide balance to relationships and begin the conversations that form real relationships between citizen and firm? Would the right forward looking policies in a test market like Estonia yield greater investment, innovation and citizen satisfaction?

My Dinner with Andrus

Friday night I had dinner with the Prime Minister of Estonia, Andrus Ansnip.  He was in town to open a "tech embassy" in San Jose, part of Enterprise Estonia.  While most of the world knows Estonia for Skype, there is a little more to it, as I've blogged before.

• 57% of the 1.3M population use the internet, and a Tiger's Leap program provided internet access to all schools
• The IT sector has developed particular core competencies in identity, security, mobility, p2p, voip, ebanking, egovernment, egambling, ecommerce.
• Web based services by the government as well as the private sector for doing business in Estonia are widespread with 98 percent of banking transactions made electronically.
• More than 80 percent of income tax filings by individual citizens of Estonia were filed electronically in 2006 and 65 percent of the population uses chip-based ID cards (this may be 80% now, see below)
• In 2005 they became the first to have legally binding internet voting
• Bay Area Estonian connections include: Draper Fisher Jurvetson (DFJ), a Silicon Valley based VC, and one of the first investors into Skype. BlueRun Ventures (VC) with investment into FusionOne (development team in Estonia). Egeen International - a biotech company in Mountain View that has been involved in Estonian Genome Project.
• They are the first to withstand a cyberwar

The setting of the dinner was too noisy for real conversation, which is unfortunate because these are such interesting times.  Wage growth and inflation are a concern and Eurozone entry is at risk.  Lacking monetary controls as stimulus, and maintaining a tight fiscal policy, GDP has slowed.  Even the fundamentals of the housing growth are changing with the credit markets. 

As I suggested to the last Prime Minister and the last President, a significant opportunity exists in relaxing immigration controls, particularly for technology skilled workers.  This is politically difficult given that 25% of the population are Russians who came as occupiers, and policies aimed at protecting Estonia's language and culture.  If it was as attractive and welcoming to work there as it is to invest there (no capital gains tax, etc.), it could be a significant form of economic stimulus.  And with the IT sector actually being small, with Skype, Playtech and banks employing most of them, it is critical to attract more employees for future growth.  A H-1B visa program, without limiting quotas, to fast track technology and research immigrants could be one solution.

Before dinner I of course Twittered for questions, and got lots of fun ones:

• trishussey   @Ross Would he give addresses as podcasts?   07:14 PM November 29, 2007
• factoryjoe   @ross Ask him how the OpenID tied to identity cards is working out!   07:20 PM November 29, 2007
• rainer   @Ross: on which websites does @AndrusAnsip use his OpenId?   04:15 AM November 30, 2007
• briancaldwell   @Ross "How has your country recovered from and protected against future cyber warfare attacks?"   07:30 PM November 29, 2007
• geraldb28   @ross The obvious... update on cyberattacks would be interesting.   09:14 PM November 29, 2007
• Pistachio   @ross ask him to seesmic with you?   10:12 PM November 29, 2007
• ramsey   @Ross: "Mr. Prime Minister, does that make you a holy man? Being a minister and all?" 10:28 PM November 29, 2007
• jstorerj   @ross you could ask if he supports the Estonian start-up that's building social networks for dogs & cats (http://tinyurl.com/28meos). ;-)   11:15 PM November 29, 2007 (editor: no, he probably supports Dogster)

There is a sample bias here, but Chris Messina's question led me to an interesting thought, because there are over 1 million smart card-based OpenIDs in Estonia:

• Every Estonian eID holder (around 80% of Estonian population) has an unique OpenID with the format open.id.ee/[firstname].[lastname](.number) Example: open.id.ee/martin.paljak
• No registration, no passwords, hardware tokens only - most secure OpenID provider to date where no phishing is possible (using traditional smart cards and soon GSM SIM cards over GSM network)
• Your online identity can never be stolen because your OpenID is attached to your real identity. You can always replace your stolen eID card and reclaim your online identity.
• All OpenID enabled sites across the world instantly benefit from the security provided by eID-s without the knowledge of eID-s even existing!

Estonia has long promoted the investment opportunity of using Estonia as a small test market for new products.  I believe there is a real opportunity as a test market for new identity services.  The infrastructure and consumer preferences of the future are in place there today.

So here's a dangerous question.  What further step could the legislature take to foster development of forward looking identity services?  At Defrag, Esther Dyson suggested the need for personalized disclosure messages from marketeers.  Having an e-commerce site disclose in human readable terms what they know about you and why they are recommending an item is an ideal identity driven service. While powerful in concept, and would lead to new innovative solutions, it would be difficult to gain adoption from buyers.  Although she presented the idea to the FTC, she hoped it wouldn't have to be regulated. 

But perhaps it should, and at least consider the concept of regulating disclosures as an example, because security and privacy policy could provide a creative constraint to foster the innovation of identity services.  Identity is inherently within the political domain.  Developing forward looking policies may begin with a simple declaration of who should own your identity (you).  And for every right granted in Estonia, you may find a new identity service developed locally that serves a desired, ethical and modern form of human right, globally.

Image credit: BBC, picture of Linnar Viik's card