IT’S OPEN SEASON ON OPEN ID

If you haven’t already heard of it, OpenID is a shared identity service that lets Internet users log into a number of web sites with only one digital identity. This eliminates the need for a user name and password for each site. In a Washington Post article by Brian Krebs, “The key to your online identity [in OpenID] is the use of a Web or blog address, such as http://myblog.someplace.com.”

An OpenID is obviously no more than a URL, which simplifies things if you already own one. Then you have to pick a provider like Live Journal, Vox, VeriSign or MyOpenID. By using your online identity at a site accepting OpenID, you then have to confirm your identity credentials, and you’re in.

From what I can tell by visiting the four providers mentioned, the most personal data you give up to join is date of birth. You may be asked for additional private information later as a member when participating in company promotions or sweepstakes. And this data could be shared with outsiders. But the only site asking for a full name—almost completing the formula that could trigger identity theft along with date of birth—Is Vox, and they also want your gender. MyOpenID and VeriSign offer passwords along with normal industry standards for security. Vox and LiveJournal add to that SSL encryption to protect some data transmissions.

Bill Gates said Microsoft would throw their support behind OpenID, but, then, MS attempted to control online IDs with MSN Passport a few years ago which never caught on outside the company. Yahoo and Google also tried their own versions. Maybe it took a new set of entrepreneurs to get things rolling, because it is reported that there are over 160-million OpenID-enabled URIs (Uniform Resource Identifier), and nearly ten-thousand sites supporting this kind of login.

There are mixed reviews with advocates feeling OpenID can both prevent and open the floodgates to phishers and scam artists. But I think we have long since accepted the fact that if sensitive information that can lead to ID theft is available out there, the bad guys will find a way to harvest it. Prove me wrong, but I don’t think this is any different. There is another site from the WP article that provides more depth to the technology of OpenID that I am linking to here.

The upside is plainly convenience. The downside—and you’ve heard this many times from me—is that the OpenID is yet another process of creating a community of databases with at least four players already collecting your personal data. Since this new-found brainchild from geekdom will open the way to every portal on the Internet with which you have an association, and potentially could expose your complete world of private information, don’t you think you should demand some major controls over its security?

I’m not crying wolf before he’s in the henhouse, but at the least I would like to hear more from this new industry about what their plans are to protect your sensitive data, and just what safeguards will be put in place to combat a potential disaster of data loss when it happens. And we know it will…eventually.