Tech Update: Sun, along with other companies, views Project Liberty as an alternative to Passport. But Passport is running and we're still waiting for the Liberty specification. If you go to Microsoft and talk about Liberty, they say "Liberty? Where is it?"

Schwartz: What is important to understand about Liberty is that Liberty is just interoperability of existing identity systems. It is not about creating a whole new identity system to compete with Passport. It is just to make sure that United Airlines Mileage Plus Account can be linked to your VodaFone cell phone account. That's it. So, when will the first interoperability spec be issued? My hope is that by May or June this year, we'll see the first spec. That will articulate only user name and password. Because 95 percent of all the things that happen on the Internet just require user name and password. That will allow you as a customer of CitiGroup and United Airlines--if both choose to actually deploy Liberty--to login to both and link the two accounts. Then, magically, every time you log into CitiGroup, you can go look at your United Airlines Mileage Plus Account.

Tech Update: But what about the interoperability and sharing of personal information that goes beyond user I.D. and password?

Schwartz: I think that that is going to be downstream. Here's my best bet on what will happen with Liberty. The first day you walk into a merchant like Bank of America or United Airlines, you sign an agreement and then they can check your accounts and join them.

Tech Update: Won't that get complicated for United Airlines if they have to manage several of these trust relationships?

Schwartz: So, let's say United Airlines says they want to do the same thing with another vendor like with Hertz, Hyatt, and maybe with American Airlines. Over time, United Airlines is going to be out there signing agreements, signing deals so you can check out your Mileage Plus status from anywhere. Then they'll reach a point where they have 75 deals and they'll have to say "Hold On. They're all standardized--which is good. But we still have to have 75 deals." We just want to say--anyone who agrees to meet a specific minimum level of authentication--one that's a standardized, industry-accepted level of authentication--[we'll grant their customer the necessary access] to check their Mileage Plus Account. That way, United Airlines no longer needs to sign 75 separate bi-lateral agreements with all these people. They're not just going to say--we're open to the whole world. For that to happen, my belief is that there is going to have to emerge some form of trust broker to whom United Airlines could say "I want to accept anybody who has met this level of authentication, so long as you can bring them to me--they can check their account." They're going to say that because the 75 other merchants are going to say the same thing. No one wants to sign all these bi-lateral agreements--they'll want to sign one bi-lateral agreement with a trust broker and that broker than then provides the necessary terms. It's basically the way that VeriSign works today. Domain Name Services [DNS] has a route. Although VeriSign replicates it, and caches all of the DNS tables so you don't always have to go back to the VeriSign data center, the reality is that we rely on them to propagate evolutions in the dot-com hierarchy. So, if the Sun.com domain migrates from one place to another, you can always get access to it because Sun just updates VeriSign once and everyone's updated.

Tech Update: So, who's going to be in the business of providing identity aggregation or authentication aggregation for merchants?

Schwartz: For consumers, I hope--I really hope--and if you ever talk to the banking community, I hope you help promote my business ideals--that they should be in the business of not only being payment service providers, but identity service providers. Because the American public, for the most part, trusts them. They're familiar with the terms and conditions of protecting secure information. While they're not like platinum, their privacy standards are, for the most part, far, far better than almost any other industry. That's just because the liability to them is so much greater. Therefore, I'd love to look to CitiGroup and say "I'll tell you what. You manage my identity and you manage my whole profile. I give you my buddy lists. I give you my chat. I give you my cousin's phone numbers. I give them all the addresses and I tell CitiGroup--don't share it with anybody, unless I deem it as appropriate. And then, by the way, when I deem it appropriate, I may give you additional terms and conditions that say they're allowed to have this information--only for the purpose of sending me that package--then it must be destroyed."

Tech Update: That's an important part of this--as to how long people have rights to that information--because today when you give the information to somebody--there's no way you get it back, is there?

Schwartz: Right. Also, I think that there are two upsides for merchants in actually accepting that. First, I may in the future only do business with them if they guarantee me lifecycle of my data. Second, what if my data changes? How would they know its up-to-date? If I point them to CitiGroup where my most up-to-date profile is, that's better for the merchant. There's another thing that I hope happens as well. But again, we're not a consumer company, so we're not driving this. As a consumer, I'd like every piece of information collected about me, to have a tag associated with it. Kind of like the tags you see on explosives. It tells me who collected the data in the first place. If that information ever leaked...

Tech Update: For liability?

Schwartz: Right--exactly. Because that puts everybody on the hook. I catch the on-line merchants all the time. The catalogue retailers are promiscuous too. Anyway, all of that gets back to the fact that there will be a roadmap of interoperability. It says the first thing that you need to operate around is user name and password. We expect that mid-year, this year. That will allow VodaFone's 212 million subscribers to all have common access to all of the VodaFone properties, all of them. Liberty will solve that problem. The roadmap from there in terms of what's next will be name and some little bit of profile information. And then, arbitrary extensions to profile information along with all the controls associated with how those profiles may, or may not be shared, their life-cycles, etc. From there, we should see the next generation of those services, the objective of which, for credit cards and banks, will be to deal with the verification problem via interoperable standards. This way, consumers can engage in a highly authenticated on-line transaction where the card issuer carries the liability for fraud, and not the consumers. I think we, as consumers, probably want as much of that as possible.

Tech Update: So, in the online world, consumers need the same sort of protection they get if somebody steals a credit card?

Schwartz: Right.

Tech Update: It doesn't cost us anything?

Schwartz: Right. Anyway, I think that there will be a roadmap. The first roadmap is enough to dispel that Liberty isn't real. It's just interoperability. Then, the evolution of that roadmap going forward--it's not just interoperability around user names and passwords. It will be user name, password, profile e-wallet, etc.