Tuesday, April 3, 2007

The problem with Open ID - it's the data

This may be old news, but having read OpenID: Too many providers, not enough consumers I figured i would add my own thoughts.

Nik touches on my views when he says the following:
"It seems that most of the justification for the big companies and other apps not
wanting to be providers is so that they can protect their customer base and
maintain a hold".
What is the reason behind this? What exactly is this "hold" and why does Open ID have problems with this? Well, if we consider the core data available as part data, profile information in Yadis and additional data you add in an application that uses an Open ID, you can probably rate that important 1, 2 and 3 respectively. Why is that?

Well, as an open id provider you typically have an aggregate of really important data such as your real name, your various email addresses, your home address and so on. That is data that is very, very valuable and more importantly - it is data you want to keep private unless you explicitly choose to share it. You are unlikely to create many instances of this core data as it is pretty hard to follow it, so an Open ID provider getting this data for users puts itself in a pretty good position. You'll maybe change your open id provider as often as you change your email address - not that often!! The same kind of rules can be applied to any other data associated with your open id and stored at your provider - relatively speaking of course.

However, in the world of consumers it's completely different. They start off by knowing almost nothing about you, expect perhaps an Open ID log in. In other words, they may not even get the email, first name and so on that you are often asked for when you log into various sites. No more 3 page forms perhaps? More specifically, the fact that Open ID helps you protect your data and only share what you want to means that you are less inclinded to just enter data the consumer application doesn't really need.

This presents a problem. Open ID providers arguably hold all the aces here. If an open id provider decided to black list some site it may seriously limit the number of users bothering to sign up. Also, a user will be much happier to move around services if they know their data trail isn't left behind - something less likely to happen with providers.

In short it comes down to data and marketing. Everyone wants the data and so we have a disproportionate number of providers. The only real solution is for wholly independent bodies to manage your Open ID - whatever "wholly independent" means. This is quite ironic as the whole reason behind Open ID is to be open, but the rules of busines dictate that although the protocols can be as open as we wish, the data itself won't be. It's just too valuable. What is it... $90 to get a new customer, $10 to keep one (or something like that).

Here's an additional question. Is it right that an Open ID provider should provide both identity AND profile information? Put it another way, as a service that values my users data highly, i'd be much more likely to "outsource" the authentication process and confirmation of identity rather than persistence of the data itself. So site A does a very simple job - it authenticates user A and that's it. That identifier can then be used locally and even against other sites to gather information desired. The issue at the moment seems to be the providers want to do both (of course they do, it's around $70 profit a person).

No comments: