PayPal Inc. is on the road to becoming the โVisaโ of the Internet, according to a keynote speech at SecTor in Toronto, where Andrew Nash presented the companyโs plans to expand into the identity provider business.
The term identity provider (IDP) has existed in the identity technology space, but the actual implementation for consumers is just beginning, explained Nash, PayPalโs senior director of identity services, in a post-keynote interview.
โIdentity providers in the case we are talking about are actually an entity that creates credentials, establishes who you are, manages the lifecycle of those credentials and acts as a conduit for attributes and controls policy associated with how your identity could be used,โ said Nash.
Consumers would essentially have a single online identity for accessing sites and conducting business online. This would remove the need for filling out forms and entering passwords as you travel around the Net. ย
โWe would enable the use of a credential against the various sites you are going to and basically give you the ability to control whether or not that site would make use of that credential or ask for additional information,โ Nash explained.
PayPal would essentially act as a broker between consumers and enterprise. โAt some level, we are kind of a little bit like the Visa of the credit card system,โ he said.
Nash expects competition, but PayPal has already established a level of trust from financial and commercial institutions. โWe arenโt the only ones, but we are at this point the only ones that already have reasonable level of trust associated with the identities,โ he said.
With over 193 million accounts worldwide, PayPal has a significant head start in the space, according to Nash. โThatโs a huge percentage of people who shop on the Internet who we already represent,โ he said.ย
Technology is not the issue right now, said Nash. PayPal has already answered questions at the technology level, such as how to protect identities and ensure information is not externally shared or subverted, he explained.
โTechnologists still have interesting and good work to do, but right now, we are interested in solving the business problems โฆ We are now standing at a higher level and saying, โLetโs make this operational and effective,โโ he said.
Nash foresees the ability to โdirectly put back to the consumer the opportunity to decide what information they give.โ
โAt a privacy level, there are all the standards around protecting who you are and how your information should be used, but now we are upping the ante and saying rather than a blanket set of agreements around how your information should be treated, let individuals themselves decide how much they are happy to release as they move around the Net,โ he said.
Personal security would also benefit, according to Nash, by providing a better means for enterprises and merchants to authenticate their consumers and the transactions. PayPal would also have more opportunity to understand whether or not consumer identities are being misused as they move around the network.
Two big benefits for enterprise include drastic reductions in the overhead and costs involved with retaining identity information, such as audit and compliance regulations, according to Nash. It would also allow enterprises to avoid issues with disclosure that arise when consumer information is accidentally revealed.
โThereโs this huge opportunity for businesses or merchants who are relying on this to no longer have to be in the consumer data management side of the world,โ said Nash.
PayPalโs model may eventually lead to โa very interesting opportunity for businessโ from a professional management perspective, according to Nash.
โThere are indications that some enterprises are interested in stepping out of the identity management business, which is exactly whatโs happening in federal government. They are saying we donโt want to manage the identities of all of the citizens we have in the U.S.,โ he said.
Announcements regarding enterprises will be made in upcoming months, butย implementation on U.S. federal government Web sites likeย WhiteHouse.govย and theย National Institutes of Healthย is already underway.ย
In collaboration with the OpenID Foundation (OIDF) and the Information Card Foundation (ICF), the Government Services Administration is adopting OpenID and InfoCard technologies for citizens visiting government Web sites.
PayPal โ along with Yahoo, Google, Equifax, AOL, VeriSign, Acxiom, Citi, Privo and Wave Systems โ announced its support for the U.S. government pilot programs in early September. A member of OIDF, PayPal is basing its technology on open standards specifications.
Nashโs main message at SecTor was that PayPal can be trusted as an IDP right now, from both a consumer and business perspective.
โThe way we are going to approach this is we will have some fundamental agreements about how we are going to protect consumers, what we will protect that belongs to them, then we will allow policies to be set, โ he said.
Exactly how everything will roll out is still unclear. The majority of the time, sharing of information would take place based on the policies set by the consumer, said Nash. When exceptions arise, PayPal would notify the consumer to determine what action to take.ย
In his keynote, Nash presented three laws of IDP, a general set of guidelines modeled after Isaac Asimovโs three laws of robotics:
1)ย ย ย ย ย ย An IDP may not injure a consumer, or through inaction, allow a consumer to come to harm.
2)ย ย ย ย ย ย An IDP must obey orders given by consumers, except where orders would conflict with the first law.
3)ย ย ย ย ย ย An IDP must protect its own existence as long as such protection does not conflict with the first or second law.
โI was looking at this whole question of well, if you are really serious about being a consumer identity provider and advocating for consumers, what rules or what constraints would you put on yourself to show you were behaving correctly? โฆ these ones made sense,โ he said.
The model isnโt perfect, but โas a general set of guidelines around how we ought to both prioritize and how various attributes of the business that are deploying ought to relate to each other, having the consumer first is exactly what we have to do,โ said Nash.
The laws of robotics is an ethical system, said Nash. โIโm not sure how far down it will actually take us, but as a starting point to present what makes sense for us, itโs not bad,โ he said.ย