Sun Microsystems Inc. has brought together a host of companies in an alliance to offer an alternative to Microsoft Corp.'s Passport online authentication service, Sun announced Wednesday (9/26/01).
The group, code-named Liberty Alliance Project, aims to create a ubiquitous single sign-on and decentralized authentication system for online services, accessible from any device connected to the Internet. The charter members of the Alliance expect to finalize an agreement on organization and joint technology development within 60 days, according to a statement on the project's Web site. The group will hold its first meeting for charter members in October and plans to announce more details in the coming months.
"This is an alternative to Passport and Hailstorm. Project Liberty will allow users to decide what information to pass on and customer data won't be controlled by one party," said Hans Appel, Sun's chief technology officer (CTO) for Northern Europe.
The Liberty Alliance Project intends to create a universal digital identity service based on open standards. Users should be able to log in once on a given Web site and be authenticated for all the online services supporting the Liberty standard. Customer data, such as phone numbers, addresses, credit records and payment information, will be secure, according to the statement.
While the alliance has not decided on the exact technologies it will use for the authentication process, the group plans to allow each company involved to store user information on their own servers, said Marge Breya, vice president of Sun One marketing. A healthcare provider, for example, would set high levels of security for user information stored on its site. When a user goes from the healthcare Web site to a retail site, only the information needed to purchase retail goods such as credit card information would be transferred.
"There will be handshakes between the two companies that the user will authorize," Breya said.
The user would permit one company's server to talk to another company's servers when visiting a new Web site, Breya said.
Smart cards or biometrics technology could be two of the possible means of authentication; however, the alliance maintains it will not decide on specific technologies for some time.
Businesses benefit because they will only need to adopt one technology to give access to all users, no matter what device is used, the group says. The alliance envisions users signing on with cellular phones, portable computers, televisions, cars, point of sales terminals and the traditional desktop computer.
Participation is open to all commercial and noncommercial organizations. Among the initial supporters are IBM Corp., Nokia Corp, General Motors Corp., NTT DoCoMo Inc., Koninklijke Philips Electronics NV, and Bank of America Corp. IBM and Philips, along with Telstra Corp. Ltd, Visa USA Inc., SAP AG and Eastman Kodak Co. are included in a list obtained by the IDG News Service, although they are not listed on the alliance announcement. Breya said that some of the companies involved did not want to go public at this time, and would not confirm any names. There are unspecified fees for membership at various levels.
The announcement comes exactly a week after Microsoft surrendered to mounting legal and industry criticism and said it would consider handing over management of Passport to a federated group made up of rivals and corporate partners. Microsoft also said it would open Passport to work with similar competing services.
The alliance hopes companies such as Microsoft and AOL Time Warner Inc. that are working on similar technologies will join the Liberty program, Breya said. A Web site could have multiple types of authentication available such as Passport and the Liberty protocol.
Privacy advocates said it's hard to judge the proposed system, since there are no technical details yet about how it might function.
"It's still a sort of vaporware at the moment," said Ian Brown, a spokesman for London-based Privacy International. "It very much depends where they go, how deeply they embed privacy into this. It is possible, if you have privacy as one of your most important criteria, to build it in. Whether Sun will do that remains to be seen; Microsoft doesn't seem to have done."
The proliferation of single sign-in systems could lead operators of Web sites to collect users' identities for market research purposes, Brown cautioned.
"Four or five years ago, when the Web just started up, a lot of sites required some sort of log-in just to read the site. But most of them eventually gave up on that, and it would be a shame if it went back in the other direction," he said.
A competitor to Microsoft's Passport would be welcome, according to Maurice Wessling, director of the Amsterdam-based privacy group Bits of Freedom.
"To have an open, multivendor system instead of the Microsoft-controlled Passport service is probably a very good thing for consumers. Passport gives Microsoft too great a power over privacy, price, and quality," he said. "This is presented as a decentralized system with a single sign-on; from a privacy standpoint that's good as there is no need for one central database."
A coalition of privacy groups led by the Electronic Privacy Information Center (EPIC) lodged a complaint against Microsoft with the U.S. Federal Trade Commission (FTC) in July, alleging that Passport is a deceptive attempt to force consumers to store their personal data with the company.
Microsoft representatives were not immediately available to comment.
(Rick Perera in Berlin contributed to this report.)