Mozilla Persona is Launched

March 27, 2013

Yesterday, Mozilla Persona launched at after a preliminary beta period.  With this new tool you only need one password to sign in to many sites.  But when you dig deeper, it is clear this is not quite the same as using your Facebook or Google account, for example, to sign into many sites.  This is a great example of the type of solution discussed in the research and development work with our partners at MIT Consotrium for Kerberos and Internet Trust, on "Core Identity and Persona" (more info at:  
According to the Persona terms and conditions page: "The Persona service allows a logged-in user to verify that he is the owner of a certain email address. Once the user has made this verification and uses that email address at websites utilizing the Persona service, the website can request that Mozilla confirm that the user has verified the email address exists and is owned by him. The Persona service works with websites to confirm that a user has verified a certain email address and with email providers to make the initial user verification. "
Interestingly, the page also confirms that the Persona services applies to both the user and also to the parties that stand behind websites that are accessed with Persona.  However, Mozlila (the party providing Persona) is not responsible for the results of third party software or APIs that are used to access or integrate with Persona in some way.  Where and how that line is drawn could be complex.  Here is the relevant wording: "These Terms of Service apply to both the websites and the email providers who use Persona. You are responsible for the third party software or APIs that you use or have developed to access the Persona Service. the Persona service are provided “as is” and there are no warranties of any kind. There are significant limits on Mozilla’s liability for any damages arising from your use of the Persona service.
The terms page also clarifies that the Persona service is definitely offered on a "gift" like basis that is subject to change or termination at any moment, and is also subject to a general expectation that the Service is not to be used for important ("critical or life-threatening" etc) purposes and that users need to expect Mozilla can "manage" the service to "protect the rights" of others which, with other services using similar language, may include turning over otherwise private data when pushed by external parties or even terminating the accounts of users.  The relevant terms are: "Mozilla has the right to manage the Services to protect the rights and property of Mozilla and others and to facilitate the proper functioning of the Services, including disabling your account. You will not use the Services for any purpose where an accurate verification of identity has critical or life-threatening consequences or has other significant or financial consequences such as in the context of financial services, banking, education, immigration, taxes, or other government functions, or healthcare. Mozilla may discontinue or change the Services at its discretion without liability. If we discontinue or change the Services, we will announce it through Mozilla’s usual channels for such announcements such as blog posts and forums."
Given that the Persona service is new and is offered free of charge and by a non-profit organization, the limits and other terms Mozilla applies seem more than fair.  And more to the point, the service itself exemplifies the type of thinking and creative approaches toward achievable Core Identity and Persona solutions.  It raises the question: If a competing organization - whether for profit or non profit - were to offer such a service, could it find a way to further protect the private identity data of users and provide more definite service terms in return for a fee or other agreed revenue models such as anonymized advertising or other profitable lines of business related to user-controlled  sharing of personal data and individual identity information?