PayPal Inc. is on the road to becoming the “Visa” of the Internet, according to a keynote speech at SecTor in Toronto, where Andrew Nash presented the company’s plans to expand into the identity provider business.
The term identity provider (IDP) has existed in the identity technology space, but the actual implementation for consumers is just beginning, explained Nash, PayPal’s senior director of identity services, in a post-keynote interview.
“Identity providers in the case we are talking about are actually an entity that creates credentials, establishes who you are, manages the lifecycle of those credentials and acts as a conduit for attributes and controls policy associated with how your identity could be used,” said Nash.
Consumers would essentially have a single online identity for accessing sites and conducting business online. This would remove the need for filling out forms and entering passwords as you travel around the Net.
“We would enable the use of a credential against the various sites you are going to and basically give you the ability to control whether or not that site would make use of that credential or ask for additional information,” Nash explained.
PayPal would essentially act as a broker between consumers and enterprise. “At some level, we are kind of a little bit like the Visa of the credit card system,” he said.
Nash expects competition, but PayPal has already established a level of trust from financial and commercial institutions. “We aren’t the only ones, but we are at this point the only ones that already have reasonable level of trust associated with the identities,” he said.
With over 193 million accounts worldwide, PayPal has a significant head start in the space, according to Nash. “That’s a huge percentage of people who shop on the Internet who we already represent,” he said.
Technology is not the issue right now, said Nash. PayPal has already answered questions at the technology level, such as how to protect identities and ensure information is not externally shared or subverted, he explained.
“Technologists still have interesting and good work to do, but right now, we are interested in solving the business problems … We are now standing at a higher level and saying, ‘Let’s make this operational and effective,’” he said.
Nash foresees the ability to “directly put back to the consumer the opportunity to decide what information they give.”
“At a privacy level, there are all the standards around protecting who you are and how your information should be used, but now we are upping the ante and saying rather than a blanket set of agreements around how your information should be treated, let individuals themselves decide how much they are happy to release as they move around the Net,” he said.
Personal security would also benefit, according to Nash, by providing a better means for enterprises and merchants to authenticate their consumers and the transactions. PayPal would also have more opportunity to understand whether or not consumer identities are being misused as they move around the network.
Two big benefits for enterprise include drastic reductions in the overhead and costs involved with retaining identity information, such as audit and compliance regulations, according to Nash. It would also allow enterprises to avoid issues with disclosure that arise when consumer information is accidentally revealed.
“There’s this huge opportunity for businesses or merchants who are relying on this to no longer have to be in the consumer data management side of the world,” said Nash.
PayPal’s model may eventually lead to “a very interesting opportunity for business” from a professional management perspective, according to Nash.
“There are indications that some enterprises are interested in stepping out of the identity management business, which is exactly what’s happening in federal government. They are saying we don’t want to manage the identities of all of the citizens we have in the U.S.,” he said.
Announcements regarding enterprises will be made in upcoming months, but implementation on U.S. federal government Web sites like WhiteHouse.gov and the National Institutes of Health is already underway.
In collaboration with the OpenID Foundation (OIDF) and the Information Card Foundation (ICF), the Government Services Administration is adopting OpenID and InfoCard technologies for citizens visiting government Web sites.
PayPal – along with Yahoo, Google, Equifax, AOL, VeriSign, Acxiom, Citi, Privo and Wave Systems – announced its support for the U.S. government pilot programs in early September. A member of OIDF, PayPal is basing its technology on open standards specifications.
Nash’s main message at SecTor was that PayPal can be trusted as an IDP right now, from both a consumer and business perspective.
“The way we are going to approach this is we will have some fundamental agreements about how we are going to protect consumers, what we will protect that belongs to them, then we will allow policies to be set, “ he said.
Exactly how everything will roll out is still unclear. The majority of the time, sharing of information would take place based on the policies set by the consumer, said Nash. When exceptions arise, PayPal would notify the consumer to determine what action to take.
In his keynote, Nash presented three laws of IDP, a general set of guidelines modeled after Isaac Asimov’s three laws of robotics:
1) An IDP may not injure a consumer, or through inaction, allow a consumer to come to harm.
2) An IDP must obey orders given by consumers, except where orders would conflict with the first law.
3) An IDP must protect its own existence as long as such protection does not conflict with the first or second law.
“I was looking at this whole question of well, if you are really serious about being a consumer identity provider and advocating for consumers, what rules or what constraints would you put on yourself to show you were behaving correctly? … these ones made sense,” he said.
The model isn’t perfect, but “as a general set of guidelines around how we ought to both prioritize and how various attributes of the business that are deploying ought to relate to each other, having the consumer first is exactly what we have to do,” said Nash.
The laws of robotics is an ethical system, said Nash. “I’m not sure how far down it will actually take us, but as a starting point to present what makes sense for us, it’s not bad,” he said.