Organizing and Facilitating a Virtual Workshop
Earlier this year, a team within Google reached out to me for advice on engaging with the people in the IAM field who would give them the feedback they needed to progress their WebID project. Since WebID is all about federated identity on the web — one of my favorite topics — and the engagement would let me use my human network to good effect, I was more than happy to work with them on this project. The problem we’re all trying to solve is complicated: being able to login to a site via a third party (e.g., going to a service and using your Google account to log in, or going to a scholarly journal and using your university account to log in) uses exactly the same browser features that ad tracking networks use. As far as the web browser is concerned, there’s no distinguishable difference between the two activities. If you block one, you block the other. Oops.
Fast forward about six weeks from that initial conversation with Google; that’s when the WebID team and I decide it’s time to have a workshop. We need more input, but we need it in a way that we can act on it, and not everyone understands or agrees to what problem, exactly, we’re trying to solve. And, hey, what could possibly go wrong in a workshop? (Hint: So much. So much could possibly go wrong.)
Here’s the thing about organizing a virtual workshop on the topic of federated identity on the web: the people that need to be involved come from EVERYWHERE. I’m talking about people that understand the use cases in the e-commerce world, workforce identity, government identity, academic identity, further broken down into organizations that host identities (identity providers) and organizations that rely on those identities (relying parties or service providers). Every sector and every business model has scenarios that must be considered when determining how federated identity should work on the web. And these use cases are Very Important to the organization bringing them to the table.
That introduces the first level of tension: on the one side, you have web browsers feeling the pressure to prevent hidden tracking of users. Lots and lots of pressure. They have to do something, or they could end up in front of lawmakers for aiding and abetting Bad Behavior. On the other side, you have organizations with all those use cases where they legitimately need the tools that just happen to be used by trackers. They need to know that either the functionality they use to get people logged in will continue to exist OR they need to know exactly what will change, when, so they can update their products and services. Updating products and services can take years; changes to browsers to prevent hidden tracking can happen in months.
But wait, there’s more! “Tracking is bad and an invasion of privacy” is like motherhood and apple pie. Of COURSE that’s true, right? Well, um, no, not always. Let’s say that we have a really security-conscious user named Chris. During his workday, Chris logs into several cloud services as part of his job. And, at the end of the day, he wants to log out from all of them by going to his identity provider and saying, “log me out of All The Things.” That only works if the identity provider knows what services Chris logged into. There are other examples, but the point is that the problem we’re all trying to solve isn’t clear, so any “solution” is going to really irritate the snot out of someone else.
With this kind of tension, all of which I knew about before the workshop was even proposed, it felt like it would take a minor miracle to have the workshop be productive and not turn into a mud fight.
Pro-tip #1: if you know you’re going into a big meeting with the potential for explosions, try and engage with the people most likely to explode before the meeting! Get their input, tell them what you’re trying to accomplish, and work with them to figure out how to raise their point most constructively.
The first step in a workshop like this is to determine who really needs to be there in order to make it worthwhile. In this case, people who could talk about the main browsers were critical: Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari. If we couldn’t get all, we needed to at least get most. People who could talk about the issues that large-scale identity providers were anticipating were also critical: Google Sign-In, Facebook, Microsoft Identity. If we had more time, we also wanted people who could present major relying parties in the workforce, in higher education, or in other sectors. We also wanted people who could talk about the specific protocols currently in use. And hey, wouldn’t it be great if we could also get people who could represent legal requirements. And, wow, we’d love to have these other groups, and these, and these, and maybe those, and a few of those…
Some keywords in the previous paragraph are “if we had more time.” As we put together the list of “who needs to attend,” we took a good hard look at “and how much time do we have.” That introduced some major constraints on what we would be able to discuss and therefore limited the required attendee list. I’m not sure why this is, but people who can handle three full days of in-person conferences generally can only handle three hours of videoconferencing. We decided to split the workshop into two three-hour chunks, across two days. The first day focused on presentations, to make sure everyone was coming from a common baseline of information, and day two was all about discussion.
Pro-tip #2: Be realistic in the time you have for the agenda, and make clear at the beginning and end of the meeting what items will not be covered this time, leaving the door open to the next meeting where you will put those topics at the top of the list.
My favorite part of the workshop had to be how we got to the discussion part of the show. During day one, I encouraged everyone to add questions to a tool called Slido. People could view the questions and vote on which ones they wanted us to discuss on day two. At the end of day one, we did a quick walk-through of the questions, noted where they fell in terms of popularity, and I got them ready for day two. Clean, organized, and everyone had a chance to offer input. Yay!
Pro-tip #3: Make sure everyone knows how to ask questions. Repeat yourself after each presentation on how to ask questions. Add it to the agenda. Add it to the notes. Put it in whatever backchannels you are using for side conversations. People need to feel heard, and getting their questions out there is a big part of that.
The other tool I used to organize the discussion on day two was Zoom polls. These polls were the highlight of my week! Most of them were written on the fly and allowed every single participant to offer their input. Rather than trying to guess consensus when only 10% of the people were speaking up, seeing the numbers right there on the screen really kept us on task and made it clear where there was alignment so we could stop talking and move on, or where there was not alignment and needed quality time.
Pro-tip #4: In any large gathering, there will be a relatively small number of people confident enough to speak up. They are important, but so is everyone else in the room. Figure out how you’re going to get input from the folks who aren’t confident in speaking up.
By the end of the workshop, we managed to clarify the tension around describing the problem we were there to discuss, agree to form a new W3C Community Group, have people sign up to work on the charter, and identify the next six topics that need to be addressed. For a group that hadn’t met before, on a topic as complicated as this one, it was one heck of a constructive workshop.
The only downside for me to the workshop was that I personally couldn’t pay much attention to the presentations. While others were talking, I was checking two Slack channels, multiple direct messages, the live scribing notes doc, and the zoom chat, and watching the clock. My role was to keep things moving while keeping things calm and productive. I owe several beverages to those people who stepped up to take notes during the workshop. They gave me and all the others who couldn’t make it an opportunity to catch up later on what was really an epic event.