A usable identity management system
for the Digital Public Space

Position paper for the W3C Identity in the Browser Workshop, May 2011

Olivier Thereaux, Mo McRoberts, Richard Northover – British Broadcasting Corporation

The BBC is the largest broadcasting organisation in the world. With a public service mission to inform, educate and entertain, our activities as public service broadcaster include the production of TV and radio programmes, operating 8 national TV channels plus regional programming, 10 national and 40 local radio stations, many worldwide TV channels, as well as an extensive Web presence (online since 1996), notably known worldwide for its news and sports coverage.

All the BBC's online services use a centralised sign in system. In effect, this means that the BBC is not only hosting account information and user data, but that it also hosts proto-representations of the online identity of its users.

The BBC's core mission and challenges are different from those of international online social networking services. The question of Web identity is nonetheless crucial for the BBC's future, as illustrated by an increasing number of use cases. Our vision of a personalised BBC experience includes recommendations based on preferences and consumption patterns, social discovery of content based on sharing of user activity, as well as options for a range of content contribution and interaction. For each of these areas, the ability to identify and protect individuals, their preferences, contributions, data, permissions and rights is critically important.

We believe in the principle that the control and management of an individual's digital identity should be on their own terms, in a way that they can understand and fundamentally trust. In practice, given the contemporary trends towards a more social, personal and ubiquitous Web where user profile, preferences and data become key building blocks of the online experience, ensuring adequate identification, authentication and user data management features is a crucial endeavor for the BBC. The solutions we find will need to scale to accommodate usage by a large majority of the population of the UK (the BBC reaches more than 90% of the UK population through its broadcasting and online operations) and beyond.

Several alternatives are currently available to reach this goal: the BBC may continue its effort of building its own system for identity and user data and make it scale. As one of the most trusted organisations in the UK, we can even envision making it into an identity system to be used beyond the BBC's online presence. Another possibility would see the BBC focus on the programmes and experience, and use online identity systems already provided by third parties such as one of the major social networking service. Each of these options come with a number of fundamental challenges, however: scalability and cost for the former, legal and social issues for the latter.

The BBC is governed by a public service remit. Any solution it pursues must be both in the public's interest, and also make the best possible use of the licence fee which is paid by the UK public and funds most of the BBC's activities. Given that neither operating our own identity system on a long-term basis, nor putting it into the hands of a third party are straightforward options, the possibility of decentralised identity systems which ensure that an individual is in control of their own digital identity begin to appear increasingly attractive.

A decentralised, user-owned identity would also possibly be the option most compatible with the goals and tenets of the Digital Public Space – an effort by the BBC and other cultural institutions in the UK to provide access to all of the UK's cultural archives, bringing together both the rich information carefully curated through the years with the more immediately-accessible higher level information and audio-visual material, both from the partners and around the Web.

The management of one's identity on the Web is only a part of the contemporary problem space of the social web, but a major one nevertheless. Solutions based on linked Web data and public-key certificate technologies are an apt technological answer to it. However the lack of usability of most personal identity management schemes proposed so far, and especially those based on the URI-as-representation-of-the-identity, has appeared to be a major hurdle to the adoption of user-controlled identity. We therefore propose that the upcoming workshop on identity in the browser focus in part on the following questions:

  1. How do we build an identity management system owned by the user, designed for the user, and which has properties such as unambiguous ownership and control over destiny, trust and understanding – the properties of a system which the user has built him-or-herself –?
  2. How do we build a decentralised, user-owned identity system which can function seamlessly on every device and browser, personal or shared, used by individuals in the home, at work and on the go? How can this work with users moving from a modern browser at home to a legacy one at work or school?
  3. How do we build an identity management stack using strong cryptography but which can mitigate the loss of keys resulting, from example, from the hardware failure of a personal computer?
  4. How do current W3C efforts relating to identity management relate to, and integrate our understanding of how people currently view and manage their online identities, through e.g various online social networking services, work and personal e-mail addresses, etc?
  5. How can better interfaces in the browser bridge the gap in digital literacy around cryptography, certificates, or indeed the management of their porous, multiple online identities?

Some of these questions will have to be answered as architectural principles for future standards; others may be worthy input for implementors and the interface and user experience they will devise. As a major broadcaster in the UK and internationally, and as a public service organisation with digital literacy education at the core of our mission, the BBC is looking forward to collaborating with the W3C community on building a strong set of use cases based on user research. We expect to bring valuable existing knowledge of the issue, a unique perspective as public service broadcaster, with a commitment to help building a scalable and effective identity management system usable, understandable, and trustable by all.