Shostack + Friends Blog Archive


What's an Identity Oracle (LLPersonas)

Adam: So you say “my oracle.” Who is that? Is it an entity which I control? To be cynical, how does ‘my identity oracle’ differ from Choicepoint?

Bob Blakely:My oracle most assuredly does not belong to me. It’s a commercial enterprise. It differs from choicepoint in that it has contracts with its data subjects which require it to protect their privacy and other

Adam:So the Oracle is making money on both sides of the deal? From me and from an employer?

Bob Blakely:The oracle is making money by providing a service to the individual. Like broadcast TV, Google, or a real estate buyer’s agent, it doesn’t necessarily have to charge the individual for that service; the cost
could be borne by the relying parties.

Adam:If the Oracle doesn’t charge me, do we have a meeting of the mind and an exchange of value? As I’m sure you know, those are the core
elements of a contract.

On a related note, what’s to prevent a rogue oracle organization? I
think that there’s both value in me paying, and all sorts of risks,
such as oracle capture by customers or the moral issues of me having to
pay to get data about me validated.

Bob Blakely: The oracle might make money on you but more likely is charging your transaction partners, in the same way that your real estate buyer’s agent gets paid by the seller. But unlike today’s identity providers, it has obligations to you.

You could ask the same question about the relationship between you and a
pro-bono lawyer, or a realtor (if you’re buying a house), or any one of a
number of other professionals and businesses who work on your behalf but charge others for the privilege. American Express works this way – you pay a (small) yearly fee, but most of their money comes from charging retailers.

What prevents a rogue oracle organization is lawsuits (based on contract law) and the inability to continue in business due to bad publicity.

The difference between an oracle and other identity providers is that the other providers don’t offer you the contract which would let you take action against them; instead you have to rely on someone like the FTC taking action on your behalf, without the possibility of personal recovery for loss.