Centralised Authentication
If you’ve had the misfortune to use MSN Messager, Hotmail or Microsoft’s MSDN services, you’ll be familiar with their centralised authentication system – Passport. Although I’ve signed up for a couple of Passport accounts professionally in my time at one job or another – I’ve always kept away from it on a personal basis. I’ve signed up in order to get a Messenger account, but used a throw-away email address and gave no other personal information. The simple reason is that I don’t trust Microsoft with the information, and in particular the context in which a centralised system holds that data. Not due to any general anti-Microsoft feeling, but simply because their track record isn’t good with keeping such data safe, and I also question their motives in holding it. I’m not going to rant on about it, but suffice to say I’ve made the personal choice not to make great use of that particular ‘service’.
So when I heard about Six Apart’s new centralised authentication system TypeKey I was a little skeptical. Six Apart are pitching the service as a method of battling comment spam, flooding and so on. The idea as I understand it (and to be fair, only marketing information exists so far) is that to post a comment on a TypeKey enabled blog, the user must have a TypeKey account/identity. If they already have one, the posting a comment is super-easy as the blog can fetch the user’s details automagically. Very convenient if you’re already signed up – and a pain the arse if you’re not. Still it would, in theory, cut down on spam. TypeKey will be integrated into the forthcoming version of MovableType, with APIs available shortly afterwards for developers to integrate the service with their own apps.
However, just as with Microsoft Passport, you have to question what’s happening with the data. Six Apart use carefully selected language to focus the security debate around that of keeping email addresses secure and not sending spam. This is far from being the issue – as you have to keep in mind the fact the Six Apart will potentially have the capability to track your movements around the web, with each TypeKey site you hit phoning home and logging your presence. I’m not one to get paranoid about this sort of thing from a privacy point of view, however, the data Six Apart could collect would be commercially extremely valuable and here we are handing it over for free. I don’t object to being spied on for giggles, but I object to people profiting from selling data about me without asking me first.
Of course, there are issues with a centralised service should that service become unavailable through attack, mismanagement or just bad luck. See Dean’s thoughts on this issue.
For me, I’d like to ask Six Apart the following
- If you’re going to collect and use data for any other purposes than system maintenance, be explicit in stating that use and its purpose. Let the user opt-in with full knowledge of the implications.
- If you’re not going to use the data for purposes other than system maintenance, please roughly outline how this service is maintained financially, and how it can be sustained. (will it be around in 12 months?)
- If you’re not going to use the data for purposes other than system maintenance, please outline the technical factors which are limiting you doing this.
A system like this could be excellent, but could also be a complete disaster. To be centralised, the system will have to prove itself to be trustworthy both technically and ethically. I worry that Six Apart are being a little presumptuous in respect of that trust.