Symantec's Identity Initiative believes that there are two key components to "Security 2.0" - identity and reputation. Today at DEMO 07, Symantec announced its upcoming Norton Identity Client, which enables users to personally share their own information online. (As I've blogged before, juggling multiple identities is a painfully common problem.) NIC will manage all of these while providing reputation services. Users can choose what information about themselves they want to share, and with which sites. Like e-mail protection, the client will warn the user when about to share information with a suspect site.
A number of issues come to mind:
- If a user can make purchases without providing their own name and credit card number to the merchant site, then this implies that Symantec actually owns the transaction. Presuming a transaction fee, this is brilliant economics. (Wouldn't the team love to get even a penny per Amazon sale?)
- Given all of the recent privacy issues around government subpoenas and consumer transactions, do we really want a single transaction processsor to have a complete record of every transaction that we make, no matter what payment method we use or what vendor we purchase from?
- Does Symantec's implementation translate into a complete browsing history? When a site requests information about the visitor, Norton Identity Client requires authorization - site credentials are both temporary and subject to user approval. Besides the question of usability (I wouldn't want to approve every visit to MyYahoo!), it's obvious that Symantec can then log my visits to and behaviors on every site that uses cookie-level information. That's a lot of power to sell to advertisers/content targeters, and certainly attractive to law enforcement.
- A number of competing identity standard efforts agreed to collaborate last year under the OpenID banner. Why isn't Symantec working with the rest of the industry? (If sxip can, Symantec can.)
Though reputation was mentioned, it was only touched upon lightly. I'm curious to see how NIC address the "reputation for what" issue . (e.g., is someone's five-star reputation valid for their payment history, or for their restaurant recommendations?)
Many vendors have struggled with single sign-on development, whether they were Microsoft Passport or a trendy open-source startup. Symantec has a leg up as a trusted brand for security - consumers will have confidence that a Norton product can protect them from identity theft. Hopefully, Symantec will both address core privacy issues and leverage its substantial street cred as it builds out a valuable set of identity services.