Human Voices, Episode 6: Privacy and the Internet – Why the Two go Hand in Hand

Hosted By Bastian Purrer

January 18, 2021

Welcome back to Human Voices, humanID’s podcast talking cybersecurity, privacy, and news in tech! This week, we’re joined by Dick Hardt, an innovator and entrepreneur who’s been in the privacy space for over 15 years and has worked on projects like OAuth, and signin.org.

You can listen along to Human Voices right here or on Spotify, Apple Podcasts, Anchor, or ListenNotes! The below teaser has been edited for clarity and brevity. 

humanID: Dick has been for a long time, part of the identity space. He’s started numerous startups in the space and he’s passionate just like us at humanID about open source, about identity, and specifically has been involved with writing the OAuth protocol, which is the open standard or the authorization protocol that’s used by most of the social sign-on today. He is a founding board member of the open ID foundation. Thanks Dick, for being on board and joining us today. So is there anything I’m missing on your background that I should have mentioned?

Hardt: [O]ne of the other things that I really drove was my “Identity through user-centric” talk that I gave 15 years ago that I think really opened up a lot of people’s eyes around a model that we had now that was very site-centric, and the model that was user-centric would be much more powerful for everybody.

humanID: Why do you think 15 years after your talk and over two, three decades into the internet, we’re still struggling with finding a good solution for online identity?

Hardt: It was not a layer designed into the internet, in the early day. People just trusted everybody. You didn’t need to really know who anybody was. Now since I gave my talk, a number of protocols and technology started up and people realized that there is all the OAuth work around how do I let you know one application access resources that another application has without giving my username and password away, and once people started doing that they realized oh well there’s an API I can call to say which user it is. I could use that for authentication, as well as just authorization. So things that were really around sharing and connecting your apps but it morphed into identity protocols and Facebook being one of the leaders in that. And then we started to go and get all of the sign in with x buttons and the issues that come with that because they’re a very fractured market. There wasn’t a standard way for a user to pick it. In that model it’s the developers that are picking which services offer, which now is consolidated down to primarily Facebook and Google. The user can pick out of that but it may not be the users choice at all which one is being presented to them.

To your question why haven’t we solved this,we have to look back as to what are the pieces that need to be in a solution. It’s not a Greenfield opportunity on the internet, there’s billions of people on there, they already have a bunch of stuff, they’re already used to certain mental models and interaction models.  So we need to try to work within those. Many people have proposed well I’ve got this new way of doing identity, and you know one of the new ways that’s gathered a lot of attention recently has been things around blockchain or decentralized identity. The challenge with all of those models is nobody has anything.

You’re at the long end of network effects.When no one else is in your network there’s no value of somebody joining your network because there’s no one else in the network. And so, how do you get there from here, because it’s a three sided market. You’ve got users who need to be familiar and comfortable and have something, you have providers that are making statements about the user or authenticating them and making that statement. And then you have developers or, you know, also those relying parties that are getting the statement. And so all three of those roles have to have the technology for it to work. And that’s hard. Historically the only people that could drive a whole change in a platform like that have been large companies.

Microsoft tried to drive that with Passport and a whole bunch of Silicon Valley decided they were allergic to Microsoft being at the center of internet identity and created the Liberty Alliance, and then Microsoft thought okay well, we’ve learned and they started off with info cards which was happening when I was at Microsoft. While the identity people thought, “hey this solves a whole bunch of problems”, nobody else was really interested in the problems. To summarize those challenges, it’s really hard to get people to adopt any new technology, if not impossible, if it isn’t just incremental and nobody really wants to trust some commercial entity to be in control of all of identity. And so you’re seeing a lot of backlash against, not just from a privacy point of view on Facebook and Google, but the control they wield between consumers and the rest of the world.

humanID: Do you think the original architect of the internet didn’t know what they were building, didn’t know what they were getting themselves into when they built the internet? If you could go back to that day, to the day of the greenfield opportunity, was there a chance to build it in?

Hardt: Let’s go back to the people we created. They were much more interested in having a network that was resilient that would work even if nodes went away. They were really successful in the goals they had. The network was wildly more successful than they anticipated.