Online Identity Management

Since the early 1990s, I’ve been fascinated by the concept of online identity management: what it means to have an identity online, what stays consistent with the offline world, what becomes more fluid, and what becomes more fixed.

It’s a very vibrant space right now, with commercial vendors, open source projects, trends, and standards all vying for attention. I’m thinking here of a couple of overlapping categories:

A standard, for which there are good open source libraries, but also commercial providers. Increasingly I’m seeing OpenID as one service (often the anchor service) provided as part of a suite. Of course the traditional mainstream web players like LiveJournal,, Yahoo! and AOL (through AIM) are providing OpenIDs as well.
Lifestream and Profile Aggregation
More social networks == more profiles, and more feeds. A number of services/projects have sprung up (I talk about a few below, but there are many others as well) which enable you to aggregate together all of your profiles in a single place. Some are more focused on aggregating all of your feeds – creating your lifestream and letting others subscribe to it; others are focused on aggregating the feeds of your friends, to make it easier for you to follow.
The Data Portability Project, Open Web Foundation, Open Social Foundation,
These foundations are not focused (directly) on producing software, but on building awareness of and consensus about the need for user freedom on the internet, and publishing open specifications which will lead to a world in which our online identities and data streams can be more easily managed, exchanged, and even migrated from provider to provider.

It would really be a full-time job to keep track of all that is going on in this space, but here are a few I’ve been following / trying out. enables each user to create their own domain in the .mp TLD space. You can check out mine at provides OpenID, but doesn’t (yet) consume it. (I can use as an OpenID to log in to other sites, but I can’t login to with an OpenID from elsewhere). also supports a number of services (currently Twitter, Facebook, Flickr, Gmail, Yahoo (mail), and Hotmail). For those which provide activity feeds, will pull those feeds into your profile (viewable by others) and dashboard (viewable only by you). There’s also a generic RSS feed import capability, for services (like personal blogs) that doesn’t know.

Finally, also supports your social graph – your friends lists or contacts lists from various services can be imported – from webmail services like gmail and hotmail but also from services like Twitter, Facebook, and Flickr which have contacts or friends exposed via an API.

It’s very highly configurable, in terms of who can see what. You can tag contacts, and tag feeds, and use tags to determine visibility of feeds to groups of contacts. I haven’t yet really figured out what else will be able to do with webmail services – I don’t think I will ever want emails I send or receive showing up in my action stream or on my profile, but certainly being able to leverage various APIs for getting contacts will reduce the need to “refriend” people on each new network.

For now, however, has no way to identify that the “John Doe” you are friends with on facebook is the same person as the “John Doe” who is a contact on Flickr – they provide a simple way to manage contacts (and “merge” the two contacts into one virtual person) but there is still human effort (decision making) involved in reconciling these graphs.


Trufina adds an interesting twist in that they are trying to more tightly link online identity to offline. Using a method well known to financial services companies – the ability to answer a short set of questions about your financial history which would not be known to someone who found your wallet in the street – Trufina verifies that the person using the name John Eckman is the same one who lives at a given address and has other “meat space” attributes.

You can see my default public profile here:
Ask to see my identity at

I have to say their focus on “criminal background checks” I found a bit creepy: I realize that background checks are important for certain kinds of employment, but it seems like the need (and even desire) to assert a record free of felony convictions should be a niche market, not the default market for an online identity vendor. (Employment verification and educational background verification are said to be in development).

They also then enable you as a user to share various parts of your verified identity with others, including inside a number of social networks. You can create an “ID Card” and show that to only specific folks. There was no way I could find, however, to not show the “Criminal Records Search” section of the ID Card – it seems to always show either “” or “” – neither of which makes for high confidence. How about the ability to not show that section at all, if I don’t think it’s relevant, in which case you could also dispense with the rather elaborate disclaimer about criminal record checks.

I also found it frustrating that the default “profile” view – the only one people can get to who haven’t been specifically authorized by you – shows only the Trufina user name. Obviously given the market Trufina is after, and the data that a full profile might ultimately contain, they need to be concerned about privacy. But what if I’m perfectly happy to have people see my first and last name and maybe state of residence and employment?

The key to privacy needs to be control, not defaults which prevent users from making basic data public.

The folks at have partnered with Trufina, to link your “Trufina Verified Identity” to an OpenID which can be used throughout the web. It’s a great concept – to be able to demonstrate that the virtual identity a given OpenID represents is tied to a real offline person could be quite valuable.

I’d hope to preserve, however, the option to also have OpenIDs which are not linked to my offline identity. The ability to get the benefits of OpenID (in terms of single-sign-on) without necessarily having all online activity tracked directly to your offline identity is one of the freedoms the internet promises and I’d hate to lose that. (A number of OpenID providers enable you to create multiple OpenIDs that only they know are associated with each other – this enables you to project different identities on different sites).

Like many of these services, is in beta, and was having trouble with their control panel when I signed up, so it’s possible I haven’t yet seen what flexibility they offer in creating and using OpenIDs tied to your Trufina identity.

I use ClaimID with delegation to use as an OpenID. ClaimID also provides a basic profile page on which you can enter links to web sites and verify your ownership of them, as well as display contacts, optionally marked up in XFN (with semantic data about the relationship you have with each contact).

Movable Type with Action Streams Plugin

I use the open source edition of Movable Type with the Action Streams plugin to power as a lifestream aggregator, pulling in feeds from various web services. Creating additional plugins to add services to Action Streams is relatively simple, and I’m hosting it myself so I have complete access to the data stored and complete flexibility in display.

The DiSO project has produced a similar plugin (WP-DiSo-ActionStream) for pulling action streams into WordPress (I’m using the OpenID plugin from DiSO on this blog), and there’s an Activity Streams module available for Drupal as well.

Finally, there’s Sweetcron, which I have only just started to experiment with, but which focuses on just managing the action stream aggregation without the extra functionality (and overhead) of a blog or other framework like MT, WordPress, or Drupal. It’s also easily extended.

As all of these evolve, how much ownership and control will users want to have over the content their online activity produces? How much technical understand and effort will they be willing to expend in order to exert that control?

What, in other words, will be the balance between hosted providers (they do all the work but also retain some element of control) and self-hosted open source platforms (you do more work and gain more control)?

Will the central difference between the two options lessen as real data portability becomes commonplace?


  1. John, thank you for your comments about our service. It is very coincidental, and helpful, that you commented on the public ID Card aspect of our product. You will see some changes next week which addresses some of your concerns – particularly the emphasis on “Criminal Records Search” and the elaborate disclaimer. We’re also adding a feature so that anyone can request ‘you’ to share information with them, however, we continue to struggle with including verified information in the public ‘ID Card’ because of security concerns.

    Because any web page can easily be forged, we purposely require people to go to either a partner of ours (like or back to Trufina to expose verified information. Maybe we are being to paranoid, and will take your opinion into account for future product changes.

    If you have any other comments, please let us know.

    Cheers, Chris

  2. Thanks for the comment Chris. I can completely understand the rationale behind the requirement – for when people are expecting and depending on a verified identity.

    It’s really just that there are a range of needs – perhaps users could have the option to publicly assert an identity (for example, at least a full name and perhaps an employer or state) which you could then require them to come back to Trufina to validate?

    I guess the question comes down to whether what someone who I haven’t granted specific rights see at is enough for that profile to have general utility – and maybe as more social networks partner with companies like Trufina that question will be less relevant, as the Trufina badge would become a part of my other profiles, rather than a standalone public profile in its own right.

Comments are closed.