What could be the next dominant force on the Internet?

Tuesday, August 7, 2007

What's next after Google? The Private Identity Network?

Just as Google came along a few years ago and grew to dominate the Internet, something else will take over from Google (the search and ads concept) as the dominant force.

This series of questions and answers outlines not a company, but a prospective industry that could replace Google and search related advertising as the dominant force on the Internet.

That prospective industry is comprised of Private Identity Providers (PIPs) and a single Network Guardian (NG). Together they comprise the Private Identity Network (PIN)- a gated community of individuals who choose to get the most out of the Internet while enjoying optimal privacy and security. The PIN is a virtual shell encapsulating the existing Internet.

What can Private Identity Providers and the Private Identity Network do for us that will make it a replacement for Google as the dominant force?

1. Provision our identity across the Internet so we don't have to remember and enter countless user names, passwords, and captchas.
2. Filter our data both downstream and upstream so our surfing experience is less interrupted by undesirable intrusions.
3. Provide us with absolute anonymity at those sites that allow it
4. Provide us with convenient, repeatable pseudonymity at the sites that allow that
5. Certify our identity off line as enabled by off line partners
6. Provide single sign on to any device, anywhere
7. Provision our identity to access non-PC machines like locks and ticket acceptors
8. Provide a secure repository for our lifetime of data, while allowing limited access for limited purposes by parties we authorize
9. Provide a trusted way to manage intellectual property so creators and users are protected
10. Do all these things at no cost to the user

Is the Private Identity Network "Big Brother"?

1. The PIN is the opposite of "Big Brother" as it is completely voluntary and not coercive
2. The PIN uses market forces rather than coercion to optimize identity and data security
3. The PIN is independent of any governmental entity and is designed to minimize potential governmental intrusions- implementing the PIN should not require government permission as it is a network of individuals making private choices about their identities and data
4. Users must choose to log on and utilize the PIN every time they use a connected device
5. The anonymity provided in using the PIN will be superior to the anonymity available today, as the PIPs will have incentive to provide anonymity services that will be just as strong and reliable as identity services
6. This portion of the post was added after the first few commenters expressed concerns about "Big Brother" and preemptive government regulation .

How does the Private Identity Network and its Private Identity Providers work?

1. Private Identity Providers are peers on the PIN that compete for users by offering the best services and reputation for trustworthiness
2. The PIN is regulated by a Network Guardian, an entity that is owned by its investors, Private Identity Providers, and users
3. The Private Identity Network is a network of people, not machines, only natural persons can be members of the PIN
4. Registering for PIN membership with a Private Identity Provider will involve off line identity documentation, and each person may only have one active registration on the PIN
5. Corporations, governments, and other non-personal entities may be represented on the PIN by persons who present appropriate evidence of their position
6. Upon log on, your Private Identity Provider creates a secure virtual connection to you, Private Identity Providers also have secure connections with each other and the Network Guardian, these links form the PIN as a secure shell around the existing Internet that still has access to the existing Internet

What is the revenue model for Private Identity Providers?

1. Since all your data travels through your Private Identity Provider after log on, you Identity Provider will come to know almost everything about you
2. Since a Private Identity Provider would destroy their reputation by selling anyone's information, they will instead sell "message delivery and response monitoring"
3. An example, if you own a dry cleaning company (like I do) you might want to make a free trial offer to the people in your service area that spend the most on dry cleaning. I would contact some sort of aggregator who would arrange for my offer to be delivered by the various identity providers in the area. After the results came in, I would pay the agreed upon price for how many people actually used the offer. Neither I nor the aggregator would ever have to know the identities of the non-respondents. The desire to get maximum payment would motivate each Private Identity Provider to make sure the message was received by those most likely to respond. Private Identity Providers would not have incentive to bombard their users with irrelevant messages as this would generate no income for them and tarnish their reputation with users.

How does the Network Guardian work?

1. The Network Guardian has three responsibilities- maintain a minimal identification database, accredit Private Identity Providers, and regulate PIPs and users.
2. The Network Guardian member identification database contains only the bare minimum of data to insure that an individual is unique on the PIN, it will likely contain birth name, birth date, birth time and place (birth coordinates) and parent's names. This is information that is already public, at least in the United States. All other identity data will be kept at the PIP level, where the loss of any such data would be devastating to a Private Identity Provider.
3. The Network Guardian will accredit Private Identity Providers based upon their demonstrated ability to secure member data. There may be multiple competing approaches to data security, as that is an intentional and hopefully robust component of the PIN.
4. The Network Guardian will have the power to fine or remove accreditation from a Private Identity Provider. It will also have the power to fine or ban users.
5. The Network Guardian will be structured to avoid regulation or coercion by any government. It will operate within the computing cloud provided by the Private Identity Providers. Its owners and employees will conduct its business behind the screen of their respective PIPs while maintaining transparency in operations by real time open logging of all matters and meetings. The Network Guardian will own no physical property that can be seized or attached by any government.
6. The Network Guardian will generate revenue by a "tax" on Private Identity Providers

Why is the Private Identity Network for natural persons only? What about minors and invalids?

1. That the PIN is a network of natural persons is the fundamental simplification that makes the whole idea workable. Everything you see, hear, say or do on the PIN belongs to you forever. So you must be responsible for your words and actions.
2. Much of what I've read in the identity community is concerned with the complex interactions that arise when people are defined in terms of their associations with non-personal entities such as corporations and governments. The PIN flips that paradigm by treating individuals as the basic units and non-personal entities as temporary attributes.
2. There are a multitude of places where your identity is immaterial, at those places, you will have directed your PIP to not divulge who you are, but rather just that you are a qualified user.
3. There are other places where you prefer to use a pseudonym. Your PIP will provision that aspect of your identity as well, if that place allows it.
4. Minors and invalids can use the PIN by having an account that is sponsored by a PIN member who is willing to be responsible for its use.

How can we possibly get from today to the Private Identity Network?

1. Just one Private Identity Provider can start the whole ball rolling. The Network Guardian doesn't come into play until their are multiple Private Identity Providers.
2. While all the advantages of the PIN cannot be realized until it becomes a dominant force, a single Private Identity Provider can still offer many advantages to its users including single sign on identity provisioning, filtering of data, and data storage
3. Another incentive for users to start using the PIN may be to offer share ownership in the Network Guardian for early adopters. Because of the nature of the Network Guardian, it is important that ownership of that entity be widely dispersed
4. You don't need to trust your Private Identity Provider with everything initially, as your confidence in your PIP grows, you will achieve a comfort level that will eventually have you storing your bank records, medical records, educational records, and everything else- but only when you are ready for that, initially you may just store user names and passwords for the multitude of sites you frequent

In what ways are Private Identity Providers private?

1. PIPs are private, commercial entities that can be as small or grow as large as their ability to attract users
2. PIPs, in order to compete for users, must be as privacy oriented as practical, they are "trust companies" in the same sense that banks used to be before government deposit insurance
3. A PIP is subject to the laws of the land in which it is located, it is anticipated that PIPs, in order to be competitive, will locate in jurisdictions where privacy is relatively respected

Why should I trust any sensitive information to any private company?

1. Because you already do, and in a much less secure and private way than is contemplated here. For example, credit agencies have files on you and you certainly didn't pick them for that task. The PIN allows you to use your consumer power to select who holds the keys to your information.
2. Because a poor alternative is to trust it to a government, with often arbitrary powers to strip you of your life, liberty, and property.
3. Because these private companies, the PIPs, can only grow by earning the trust of the user community- any well publicized intentional or accidental breach of user information will likely do significant damage to their user count
4. To remain competitive, the competing PIPs will, over time, develop various technical and social schemes to slice and distribute your data in such a way that it is protected from all but the most robust attacks, even by insiders

What does the world look like 10 years after the PIN is widespread?

1. The vast majority of people are members of the PIN
2. Their are 3-4 huge PIPs and hundreds of smaller ones.
3. People who are not members of the PIN are treated very suspiciously on line
4. Spam, sock puppetry, phishing, identity theft, and other asocial behaviors are absent from the PIN while still thriving and multiplying on the old insecure Internet
5. Users will enjoy getting highly targeted marketing messages for products and services that match their interests very closely, with an option to turn their volume up or down

What else can Private Identity Provision do for users?

1. It is an all purpose identification system that you don't need to carry with you
2. To identify yourself to any entity that you wish you enter your PIN identification information into any network connected device anywhere, your PIP then returns its certification that you are who you claim to be
3. If you are being forced to provide identity information to a private party, you will have a prearranged alternate log in with your PIP to summon the authorities.
4. If you are being forced by the authorities to provide identity information, you will have a different prearranged alternate log in to notify appropriate individuals and organizations of your plight
5. You identity is the universal key to networked keyed objects- for instance, your house or car can be left unlocked, when someone enters, motion detectors start a timer that gives you adequate time to enter your PIP identification information, if it is not entered, the doors automatically lock and the authorities are summoned, trapping transgressors
6. Your identity is your credit. No need to carry around cards or similar. When paying for items log in to your PIP and probably execute a secondary log in to authorize payment.
7. Your identity is your ticket. Instead of printing tickets for transportation and entertainment, log in as you enter or print out a quick ticket as is currently done by many airlines using a credit card for ID.
8. You can share limited information with limited entities. For instance, you might give your doctor's office a one hour permission to read and append only your medical information. Or give your daughter's prospective college a window in which to examine her high school records.

Where will these Private Identity Providers come from?

1. As is generally true in new industries, the initial players will likely come "out of nowhere"
2. This is a natural fit for banks to expand their present role as caretakers of our money into caretakers of all of our information and identity
3. Existing Internet filter providers may have a technological advantage that would allow them easy entry
4. Google, if they are interested, because, well, they are Google.

What is the purpose of this posting?

1. To find people who would like to get really rich building the PIN
2. To see if there are undetected flaws in this concept
3. To stimulate new thought on identity paradigms
4. To advance the possibility that the several patents pending related to this material will have some value someday
5. To make the Internet safer, more useful and more enjoyable

The following section was added on 10/15/07 after email feedback. Thank you Doc Searls for sending the traffic!

Why is the Private Identity Network revolutionary when compared to the Identity Metasystem?

The PIN requires user uniqueness:

1. Users on the PIN many only have one presence. They cannot pretend to be two different people in interactions where the other parties require uniqueness or register with multiple Identity Providers with fraudulent credentials in order to have multiple presences (allowing that some will get away with some fraud). They may use multiple Identity Providers, but when the do so the Network Guardian will alert other parties if a uniqueness issue arises. This uniqueness is fundamental to the user benefits of the Network since uniqueness creates durable reputations.

The PIN introduces two new parties that don't exist on the IM:

1. Identity Providers- The IM has "identity providers" also but in that usage identity providers are entities with primary purposes other than identity. Identity Providers on the PIN primarily provision identities. Identity provision is not an add on function like it is for businesses, governments, or individuals. Their entire livelihood is predicated upon being a reliable and secure provisioner of identities. They may do other things, but if they fail in their responsibility as identity provisioners, they will lose their users.

2. The single Network Guardian- The IM does not have a controlling authority. I struggled long and hard with this potential problem and concluded that a cooperatively owned and controlled central authority with very limited powers and very limited access to data is possible and essential and can be administered free of governmental force.

The PIN simplifies the problem by removing important classes of parties from the system:

1. Governments- Governments may be represented on the PIN by duly identified individuals who are members individually of the PIN. This is a throwback to an old practice. When I renew my auto registration in my county, I am directed to make out the check directly to David Childs. Since it is publicly known that he is the County Tax Collector, I don't have any problem doing this.

2. Corporations- Like governments and all other forms of non-personal entities corporations may be represented on the PIN by duly identified individuals who are member individually of the PIN. Corporations are "second order" non-personal entities as governments are formed by the people and then corporations are chartered by governments. I would expect that Identity Providers will have more requirements for a member to prove they represent a corporation than to represent a government where the relevant records are much more public.

The PIN simplifies the problem by focusing on the most important component of an identity system:

1. People- the PIN is a network of natural persons. The first members will be personally known to one another and from there will flow the standards necessary to allow the Network to scale. People have natural existences that are relatively easy to track- they are born and they die, they have parents and they have children. This "natural" information is really the only data that needs to be stored by the Network Guardian. Every one of us has a unique birth coordinate and the place and time conventions are widely accepted.

The PIN plan explicitly outlines the incentives for every party:

1. Identity Providers get to make a lot of money by knowing their users and monetizing that knowledge in a way that is both acceptable to the users and protects their data
2. The partners/shareholders of the Network Guardian get to make a little money but will also have control over an organization that will become as important to life on Earth as any existing government, but without owning a single tangible asset or using any physical force
3. Users will enjoy an Internet that is virtually free from it current ills- spam, phishing, accidental encounters with porn, etc. They will also have an enormously greater and higher quality range of services available than is available now or would be available as the Internet continues to expand without the PIN. Over time PIN users will avoid the stigma of not being PIN users in interactions with others where trust is a large factor and the other parties want to know exactly who they are interacting with. This will eventually create a huge incentive for everyone to join the PIN.

The PIN is software, hardware, and business model independent:

1. The PIN is a functional topology, the software to implement it will be developed and improved by the free market competition and trans-network cooperation of the Identity Providers.
2. The PIN is hardware agnostic, it can be accessed from a PC, a cell phone, a networked vehicle or any type of present or future networked device.
3. As long as they meet the accreditation of the Network Guardian, Identity Providers can operate for any reason and way they wish- as non-profits, single individuals, using open source software, proprietary software, to make lots of money, to provide a "no marketing messages" service- whatever the marketplace will bear

The PIN functions as more than just an identity metasystem:

1. If you choose, your Identity Provider can be your data warehouse. It can be your banker. It can be your application provider. Identity Providers, as their users choose, can provide any sort of information service. The market will determine over time which services will best be performed by Identity Providers and which services will go through others, though I believe, from the user's perspective it will likely look like your Identity Provider is doing it all.
2. The PIN is a foundation on which to build the semantic web. If people have real reputations to protect they will fairly and objectively evaluate their own creations and others creations. With a pool of trustworthy creators/critics as wide as the web itself searching the ratings will yield vastly superior results to today's searches.
3. Your Identity Provider can provision your identity in numerous contexts as they connect to the Network. You can be identified to various objects- your car locks, your home locks, your office locks. You can be identified to various entities- as a paid for passenger on an airplane, a fan at an event, a citizen to a government authority.
4. If you choose, your Identity Provider can filter your incoming data to rid it of undesirable elements as you specify

The PIN plan provides for a realistic path to actual implementation:

1. It will only take one Identity Provider to get things started. Users will have immediate benefits even before the network builds out. One start up has already contacted me in the last few days about possibly being a PIN Identity Provider.
2. The Network Guardian can be a very small scale operation in the earliest days.
3. As the idea spreads other Identity Providers will begin operation.
4. The patents pending on this will discourage other entrants from starting a whole other network based on similar principles.
5. This should spread virally, as the PIN becomes more valuable to the user as more users join and not being on the PIN after a while could brand you as a user that does not want to have a durable on line reputation

Thanks for reading! Please see other related posts at treytomeny.com and leave a comment or email me at treyattomenydotus. I can't figure out how to keep the main post on top here and add others below so if you know the working of Blogger, I'd appreciate that.


olyerickson said...

So I think that the notion of creating a privacy infrastructure has merit. But the problem of protecting private data is not merely a technical problem; unless intermediary entities are fully held accountable for losing or otherwise mis-handling data, there is little reason for them to adopt such infrastructure.

One key problem is that there is very little legal precedent for data-handling and data-consuming companies being held accountable to e.g. click-through privacy agreements. In most jurisdictions, esp. in the USA, companies are usually not liable.

This legal environment must change, just as the technical infrastructure must change...

Trey Tomeny said...


I agree with you that accountablility is key.

This proposal bypasses the need for changes to the legal or technical infrastructure by relying on market competition and private contracts to provide accountability.

Private Identity Providers will safeguard your identity and other data or they will go out of business. A data loss will cause a "run" on a PIP as users flee to more secure PIPs. The Network Guardian will have contractual arrangements with PIPs to safely transfer data to more secure PIPs if a PIP is compromised.

The PIPs will continually compete to come up with the best technical ways of safeguarding your data as well as locating themselves within political entities that allow them to be competitive in safeguarding data.

The liability that the PIPs face is not the value of lost data, it is the much greater liability of many lost users if they lose any user data.

olyerickson said...

The notion of employing extra-governmental means (e.g. improved technical infrastructure and business instruments such as contracts) to fortify privacy is compelling, but needs to be tested to uncover its limitations.

I think by now we're all familiar with Lessig's arguments about how technical architectures impose their own realities --- for good or for evil --- regardless of a legal context. This is a very strong and compelling argument, and worrisome for those who are concerned about e.g. copyright holders imposing their own techno-sui-generis to revoke concepts such as fair use. But as you seem to imply, well-designed technical mechanisms may have strong positives, and in particular there may be an opportunity to create a privacy infrastructure "done right" outside of the of current haphazard collection of systems.

Regarding the use of business instruments to fortify privacy, you've expressed a confidence that instruments such as contracts will strengthen the infrastructure. I'm somewhat skeptical about this, because contract law is subject to jurisdiction and precedence. To be fair, you seem to be focusing on "back-end" contracts regarding data handling, which might be "stronger" than end-user "privacy contracts."

The great Pam Samuelson wrote about "Privacy as Intellectual Property" in 1999 [c.f. http://tinyurl.com/ytk4gg], where she discussed both the advantages and dangers of introducing private data into the intellectual property domain. I think she ultimately agrees with you, that in the end market forces will orient themselves to privacy-protecting practices, with or without special legal constructions.

[Disclaimer! I'm not a lawyer, jsut a guy who's been looking at the collision of technology and public policy for some time...]

Anonymous said...


Why would one do this? First off many people like the internet because they can be truly anonymous. With your idea someone (big brother) would always know exactly who we are.

Also with the amount of private data that would be stored by one of these PIP's you are begging for data to be stolen. Sure people wouldn't use that PIP again, but their personal information is already stolen. That's a huge price to pay.

Just wanted to throw my two cents in.

Trey Tomeny said...


If you prefer present style anonymity for a particular session, just don't log in with your PIP and proceed as you do now.

However, I would suggest that you are more anonymous hiding behind your PIP than you currently are without it. Your PIP will be doing everything within its power in order to "keep the faith" of its users. Current ISPs have no such incentive system and there have been many instances where they have sold out users, particularly in totalitarian countries.

As far as data security goes, once again, the marketplace will not tolerate insecure PIPs. I'm sure, in order to attract users, PIPs will offer third party insurance against data loss. I also imagine that PIPs will come up with schemes to encrypt and protect data so that their premiums for that insurance will be as small as possible and your risk will therefore be as small as possible.

Trey Tomeny said...


I realized I didn't answer your main question- Why?

The paradox is that in order to have ultimate security in anything, you must first give up everything. You can't have someone guard you mansion unless you trust someone to guard your mansion.

The beauty of the Private Identity Network is that you are choosing who to trust everything, or at first just a little of everything, with. The PIPs are in the trust business, their entire existence and livelihood depends on guarding your stuff.

There is no Big Brother. Your data is not kept by the Network Guardian, it is kept by your chosen PIP. IF you get uncomfortable with your PIP, change PIPs. The Network Guardian will step in at that point and use its regulatory authority to make sure all of your data has been transferred and not copies remain behind. The only person with access to you data is you and those that you specifically authorize.

Compare that to now, where three different credit bureaus have all sorts of data on you. After a few years of working through your PIP exclusively they will not have near as much data on you. Then potential creditors will have to contact your PIP for a credit reference- so you should be in a much better position on your credit history than you are now.

melvster said...

Very interesting post, enjoyed reading it, thanks.

funkidredd said...

Trey, can see the bigger picture and am totally "reading from your page". Would love to talk to you some more about all this - contact me at nhague(remove this kids!)@hotmail.com. Cheers muchly.

dsearls said...


I think it's a great idea. As for the legal and technical hurdles, as well as the inertial body-at-rest issues raised by other commenters... sure. They're there. But that's no reason not to try turning the concept into reality.

More later. Just wanted to salute a good and thoughtful effort on your part. Rock on.


Robert said...

Trey, I would appreciate if you can send me an email. r-o-b-m-n-l@g-m-a-i-l-.-c-o-m remove all dashes

Lucia said...

One of the main problems is that it's so easy for hackers and phishers to conceal their own identities.
And as hackers become more efficient in the processes, more and more people will be effected.
I agree with Tony Rutkowski's argument that we need to employ trusted identity management on the net or "the users who depend on them would be massively susceptible to vulnerabilities that include large-scale network attacks, abuse, fraud, and a litany of crime."

Anonymous said...

The basic idea behind this is already being commercialized: SXIP is rolling this out in BC, Canada.

You can watch Dick Hardt talk in a very compelling and persuasive way about this back at OSCON 2005.

- Ntwiga

Trey Tomeny said...


Thanks for the link, that was an impressive presentation.

Sxip seems to be headed in this direction but there are numerous features that make this proposal substantially different, especially considering their collaboration with a government entity.

I emailed Dick Hardt in hopes of getting his feedback on this.

Arijit Sengupta said...

The way I understand it is that apart from what information I want to provide, i also provide another information - the name of my Identity Provider. This can be used for economic or geographic profiling and can be a major source of invasion of privacy.

Trey Tomeny said...


It seems that your objection is that others will know not only the information you choose to provide but they also will know who your Identity Provider is.

I don't see why they would need to find out who your Identity Provider is. The Identity Provider can operate anonymously on your behalf as long as they are known by the other Identity Providers and the Network Guardian.

I also don't believe that, if your Identity Provider is known, that it will necessarily infer any particular geographic or economic information. Competition for users will force most Identity Providers to seek our any and all types of users.

Aria said...

I appreciate my privacy but would also love some sort of automatic database of all of my accounts with so many password variations and username requirements.

I would also worry about accountability. If something like that folded, that would be a big deal to me!

About Me

I am a Christ follower and that is the number one priority in my life.