blog-default - old

Identity Management: Not Necessarily a Privacy Tradeoff

Last Friday, The New York Times Bits blog carried an article entitled, “Identity Companies: Paid to Know About You.” The article discussed three companies in the identity management space, a social login provider and two enterprise identity management companies. The thesis of the article is best summed up by a statement in the second paragraph, “…online identity, which is actually about knowing about the person logging into a Web site, extracting information about them and then passing it on profitably.”

While it’s true that the business model of many current identity management providers does involve “monetizing” the personal information of their users, it does not have to be this way. More generally, there are three sources of revenue for an identity management provider:

  • User fees, typically in the form of a subscription charge
  • Relying Party fees (from the site or service the user is authenticating to and optionally sharing information with), perhaps in the form of a per-transaction charge
  • Payments from a third party. These include payment for information about users and their behavior and from advertising that may be presented to the user as part of the authentication process.

Taking these in reverse order, third-party payments are perhaps the easiest to set up, because it’s a proven business model: user behavior is potentially very valuable to advertisers and others and mechanisms for paying for that information are already in existence. Advertising is also a proven business model, but is less common for identity management providers because it’s less effective when the user is in the midst of another transaction.

Relying party fees mimic the common business model for credit card transactions, although without a monetary transaction necessarily taking place, there isn’t a readily-available mechanism to collect the fee. Since there may be many identity management services from which the user chooses, a system of payment intermediaries is probably required to avoid the need for each relying party to establish a relationship with every identity provider.

User fees are simpler to arrange, because users will typically contract with one or a small number of identity providers to manage their personal information. There is a common belief that users will be unwilling to pay such fees, but there is a growing awareness that “if you’re not paying, you’re the product, not the customer.” This is as yet an unproven business model, but as users discover more about how their information is being used in the current model, they may be more willing to pay for privacy. The fees in this case could be bundled as part of another service, such as banking.

OneID’s business model is not about monetizing users’ information. In fact, we have explicitly designed OneID so that your information is not available to us, only to you. We store our users’ information in encrypted form, with the keys retained by the user in the devices they control. An identity service that is trustable in this way enhances its value for users and relying parties, and respects the right of users to control the use and release of information about them. Identity services can, and should, be agents that act on behalf of their users, and not some often-invisible third party.