Centralized Services Needn't be Evil to be a Problem


Summary

Relying on a single actor to make things work for millions is no way to do something as fundamental to human autonomy and dignity as digital identity.

Microsoft Passport Logo

I ran across this story today about Microsoft forgetting to renew the Passport.com domain and cutting off millions of users from service. It's no longer available at its original home, so the link is to the Wayback machine copy.

There are several lessons here:

  1. We like to talk about centralization being bad because it potentially gives power to evil actors. But let's not forget that centralization can be bad merely because organizations can be incompetent, forgetful, or inept. Leadership shifts. Policies expire. Companies fail. Systems decay. By all accounts, Microsoft is a well-run place, but relying on a single actor to make things work for millions is no way to do something as fundamental to human autonomy and dignity as digital identity.
  2. The use of just-in-time callbacks to build trust in an identity credential can put millions out of service for simple authentication checks. Imagine if every use of the driver's license required a real-time call back to the Drivers License Bureau. Instead, let's build identity systems that allow people to hold credentials that don't need real-time verification to check fidelity and provenance.
  3. Domain names are not identity. They're rented and so can't be permanent. The story on doublewide.net is interesting history, but the domain was impermanent. Thankfully, places like the Wayback Machine preserve some of it. Consider donating! I did.

Please leave comments using the Hypothes.is sidebar.