On Infomediaries and Identity Providers

In 1999, Hagel III and Singer, in their book “Net Worth: Shaping Markets When Customers Make the Rules,” introduced and elaborated on the notion of “infomediaries.”

An infomediary is a trusted organization that acts as a custodian, agent, or broker of personal information of an individual, sharing it with others on the individual’s behalf (and possibly under some degree of control of the individual). In the Internet bubble, this business model gave rise to a flurry of wanna-be infomediaries. Companies such as Enonymous, Lumeria, PopularDemand, PrivacyBank, and PrivaSeek all aimed to become one-stop brokers of personal data by persuading individuals to funnel all their transactions through their company. In spite of the hype around infomediaries in the late nineties, there are none around today that have managed to make a business for themselves.

Recent grassroots initiatives in personal identity management, such as SXIP, Identity Commons, FOAF, and LID, are in various forms proposing what amounts to infomediaries. Will these efforts lead to first successful infomediaries? It is too early to tell, but I am personally hesitant for two reasons:

• Since the primary goal of the infomediary is to make a business out of sharing (“selling”) the personal information of its customers, its interests will always be at odds with the interests of the individuals whose data they broker. Indeed, in some recent discussions it has been suggested that “infomediaries” in personal identity management efforts could become a viable business model because they could act vis-à-vis service providers as a more trusted party about personal information than individuals themselves; the irony of this suggestion speaks for itself.
• The involved set-up time and the ongoing self-administration burden (both for the entering of user identity information itself and for setting up release conditions) are serious hassles for individuals.

For these reasons, I predict that the infomediary model in personal identity management is doomed to take off on a large scale as a profitable business model. This does not mean there is no room for organizations that make a business out of sharing personal information on behalf of customers. In contrast, I believe that the “identity providers” in federated enterprise management efforts such a Liberty Alliance have a serious chance of taking off as “next-generation infomediaries,” assuming that they succeed in properly addressing the real privacy and security concerns of individuals:

• Firstly, identity providers are not new parties that have to ask individuals to entrust them with personal information; they already have that data, presumably collected as part of their prior or ongoing transactions with these individuals.
• Secondly, relying parties can place greater trust in identity assertions made by identity providers than in self-generated assertions that individuals can generate and present to them on the spot. In other words, identity assertion providers can provide credential information about individuals.

The trick in making this identity provider business model work is to ensure that identity providers cannot violate the privacy of participating individuals, while minimizing their ongoing involvement. This, then, leads to the notion of “user-centric” federated identity management. More on this in my next posting on this topic.

February 1, 2005 - Posted by Stefan Brands | General