Let's embrace Identity Plurality
In information security we’ve been saddled for years with the tacit assumption that deep down we each have one “true” identity, and that the best way to resolve rights and responsibilities is to render that identity as unique. This “singular identity” paradigm has had a profound and unhelpful influence on security and its sub-disciplines like authentication, PKI, biometrics and federated identity management.
Federated Identity is basically a sort of mash-up of the things that are known about us in different contexts. When describing federated identity, its proponents often point out how drivers licences are presented to boot-strap a new relationship. But it is a category error to abstract this case to as an example of Federated ID, because while a licence might prove your identity when joining a video store, it does not persist in that relationship. Instead the individual is given a new identity: that of a video store member.
A less trivial example is your identity as an employee. When you sign on, HR might sight your driver licence to make sure they get your legal name correct. But thereafter you carry a company ID badge – your identity in that context. You do not present your driver licence to get in the door at work.
Federated Identity posits, often implicitly, that we only really need one identity. The "Identity 2.0" movement properly stresses the multiplicity of our relationships but it usually seeks to hang all relationships off one ID. The beguiling yet utopian OSCON2005 presentation by Dick Hardt shows vividly how many ways there are to be known (although Harte went a step too far when he tried to create a single, albeit fuzzy, uber identity transcending all contexts).
I favor an alternate view - that each of us actually exercises a portfolio of separate identities and that we switch between them in different contexts. This is not an academic distinction; it really makes a big difference where you draw the line on how much you need to know to set a unique identity.
Kim Cameron’s seminal Laws of Identity deliberately promoted the plurality of identity. Cameron included a fresh definition of digital identity as “a set of claims made by one digital subject about itself or another digital subject”. He knew that this relativist definition might be unfamiliar, admitting that it “does not jive with some widely held beliefs – for example that within a given context, identities have to be unique”.
That "widely held belief" seems to be a special product of the computer age. Before the advent of “Identity Management”, we lived happily in a world of plural identities. Each of us could be by turns a citizen, an employee, a chartered professional, a customer, a bank account holder, a credit cardholder, a patient, a club member, another club official, and so on. It was seemingly only after we started getting computer accounts that it occurred to people to think in terms of one "primary" identity threading a number of secondary roles. Conventional Access Control insists on a singular authentication of who I am, followed by multiple authorisations of what I am entitled to do. This principle was laid down by computer scientists in the 1970s.
The idea that we need to establish a true identity before granting access to particular services is unhelpful to many modern online services. Consider the importance of confidentiality in "apomediation" (where people seek medical information from non technical but "expert" patients) and online psychological counselling. Few will enrol in these important new patient-managed healthcare services if they have to identify themselves before providing an alias. Instead, participants in medical social networking will feel strongly that their avatars’ identities in and of themselves are real.
Despite the efforts of Kim Cameron and others, the singular identity paradigm has proved hard to shake. In practice, and despite the plurality in the Laws of Identity, most federated identity formulations actually reuse identities across totally unrelated contexts, in order to conveniently hang multiple roles off the one identity.
The old paradigm also explains the surprisingly easy acceptance of biometrics. The very idea of biometric authentication plays straight into the world view that each user has one “true” identity. Yet these technologies are deeply problematic; in practice their accuracy is disappointing; worse, in the event a biometric is ever stolen, it's impossible with any of today's solutions to cancel and re-issue the identity. Biometrics’ overwhelming intuitive appeal must be based on an idea that what matters in all transactions is the biological person. But it’s not. In most real world transactions, the role is all that matters. Only rarely (such as when investigating fraud) do we go to the forensic extreme of knowing the person.
There are grave risks if we insist on the individual being bodily involved in routine transactions. It would make everything intrinsically linked, violating inherently and irreversibly the most fundamental privacy principle: Don’t collect personal information when it’s not required.
Why are so many people willing to embrace biometrics in spite of their risks and imperfections? It may be because we’ve been inadvertently seduced by the idea of a single identity.
Posted in Identity, Federated Identity, Culture, Biometrics
For all the talk of ecosystems ...
Yet another breathless report crossed my desk via Twitter this morning where the rise of mobile payments is predicted to lead to cards and cash "disappearing", in this case by 2020. Notably, this hyperventilation comes not from a tech vendor but instead from a "research" company.
So I started to wonder why the success of mobile payments (or any other disruptive technology) is so often framed in terms of winner-take-all. Surely we can imagine new payments modalities being super successful without having to see plastic cards and cash disappear? It might just be that press releases and Twitter tend towards polar language. More likely, and not unrelatedly, it's because a lot of people really think this way.
It's especially ironic given how the term "ecosystem" tops most Buzzword Bingo cards these days. If commentators were to actually think ecologically for a minute they'd realise that the extinction of a Family or Order at the hands of another is very rare indeed.
Guilty until proven innocent
Once again, in relation to charges levelled against their own, politicians have claimed that like everyone else, they deserve the presumption of innocence. But the old saw "innocent until proven guilty" is no universal human right. It is merely a corollary of the 18th century Blackstone's Formulation: "Better that ten guilty persons escape than that one innocent suffer".
For persons in positions of trust -- politicians, police officers, customs officers, judges and so on -- different calculations apply. The community cuts public officers less slack, because the consequences of their misconduct are far reaching. When only one bad apple can spoil the barrel, Blackstone's Formulation patently does not apply. It is probably better that 10 innocent politicians (or police officers or airport baggage handlers) lose their jobs than for one wrongdoer to stay in place.
If politicians agree to be held to higher standards than members of the public, then as part of the bargain, they cede the presumption of innocence.
Science is more than the books it produces
These days it’s common to hear the modest disclaimer that there are some questions science can’t answer. I most recently came across such a show of humility by Dr John Kirk speaking on ABC Radio National’s Ockham’s Razor [1]. Kirk says that “science cannot adjudicate between theism and atheism” and insists that science cannot bridge the divide between physics and metaphysics. Yet surely the long history of science shows that divide is not hard and fast.
Science is not merely about the particular answers; it’s about the steady campaign on all that is knowable.
Science demystifies. Way before having all the detailed answers, each fresh scientific wave works to banish the mysterious, that which previously lay beyond human comprehension.
Textbook examples are legion where new sciences have rendered previously fearsome phenomena as firstly explicable and then often manageable: astronomy, physiology, meteorology, sedimentology, seismology, microbiology, psychology and neurology, to name a few.
It's sometimes said that in science, the questions matter more than the answers. Good scientists find a way to ask good questions. Great scientists show where there is no question anymore.
Once something profound is no longer beyond understanding, that state of affairs permeates society. Each wave of scientific advance is usually signalled by beneficial new technologies, but more importantly, deep down, what science does for the human condition is it imparts confidence. In an enlightened society, those with no scientific training still appreciate that science gets how the world itself works. And over time this vital communal confidence has supplanted astrologers, shamans, witch doctors, and even the churches. Laypeople may not know how televisions work, nor nuclear medicine, semiconductors, anaesthetics, antibiotics or fibre optics, but they sure know it’s not by magic.
The arc of science ever parts mystery’s curtain. Contrary to Dr Kirk's partitions, science frequently renders the metaphysical as natural and empirically knowable. My favorite example: To the pre-Copernican mind, the Sun was perfect and ethereal, but when Galileo trained his new telescope upon it, he saw spots. These imperfections were shocking enough, but the real paradigm shift came when Galileo observed the sunspots to move across the face, disappear and then return hours later on the other limb. Thus the Sun was shown―in what must have truly been a heart-stopping epiphany―to be a sphere turning on its axis: geometric, humble, altogether of this world, and very reasonably the centre of a solar system as Copernicus had reasoned a few decades earlier. This was science exercising its most profound power, titrating the metaphysical.
An even more dramatic turn was Darwin's discovery that all the world’s living complexity was explicable without god. He thus dispelled teleology (the search for ultimate reason). He not only neutralised the Argument from Design for the existence of god, but also the very need for god. The deepest lesson of Darwinism is that there is simply no need to ask "What am I doing here?" because the wonderous complexity of all of biology, including humanity's own existence are seen to have arisen through natural selection, without a designer, and moreover, without a reason. Darwin himself felt keenly the gravity of this outcome and what it would mean to his deeply religious wife, and for that reason he kept his work secret for so long. It seems philosophers appreciate the deep lessons of Darwinism more than our modest scientists: Karl Marx saw that evolution “deals the death-blow to teleology” and Frederich Nietzsche claimed “God is dead ... we have killed him”.
So why shouldn’t we expect science to continue? Why should we doubt―or perhaps fear―its power to remove all mystery? Of course many remaining riddles are very hard indeed, and I know there’s no guarantee science will be able to solve them. But I don't see the logic of rejecting the possibility that it will. Some physicists feel they’re homing in why the physical constants should have their special values. And many cognitive scientists and philosophers of the mind suspect a theory of consciousness is within reach. I’m not saying anyone yet gets it, but surely most would agree that consciousness just doesn’t feel like a total enigma anymore.
Science is more than the books it produces; it’s the optimism we will keep writing new ones.
References
[1]. “Why is science such a worry?” Ockham's Razor 18 December 2011 http://www.abc.net.au/radionational/programs/ockhamsrazor/ockham27s-razor-18-december-2011/3725968Strippers are better off than Facebook users
Journalist Farhad Manjoo at Slate recently lampooned the privacy interests of Facebook users, quipping sarcastically that "the very idea of making Facebook a more private place borders on the oxymoronic, a bit like expecting modesty at a strip club". Funny.
A stripper might seem the archetype of promiscuity but she has a great deal of control over what's going on. There are strict limits to what she does and moreover, what others including the club are allowed to do to her. Strip club customers are banned from taking photos and exploiting the actors' exuberance, and only the most unscrupulous club would itself take advantage of the show for secondary purposes.
Facebook offers no such protection to their own members.
While people do need to be prudent on the Internet, the real privacy problem with Facebook is not the promiscuity of some of its members, but the blatant and boundless way that it pirates personal information. Regardless of the privacy settings, Facebook reserves all rights to do anything it likes with PI, behind the backs of even its most reserved users. That is the fundamental and persistent privacy breach. It's obscene.
Update 5 Dec 2011
Farhad Manjoo took me to task on Twitter and the Slate site [though his comments at Slate have since disappeared] saying I misunderstood the strip club analogy. He said what he really meant was propriety, not modesty: visitors to strip clubs shouldn't expect propriety and Facebook users shouldn't expect privacy. But I don't see how refining the metaphor makes his point any clearer or, to be frank, any less odious. I haven't been to a lot of strip clubs, but I think that their patrons know pretty much what to expect. Facebook on the other hand is deceptive (and has been officially determined to be so by the FTC). Strip clubs are overt; Facebook is tricky.
Manjoo blames the victims, saying that if people want privacy they shouldn't use Facebook at all. The headline on his article says users are as much to blame for Facebook's privacy woes as Mark Zuckerberg. This is just tacit acceptance of a Wild West, everyone-for-themselves morality that runs through so much of the Internet. We should debate the difference between what is and and what ought to be happening on the Internet, rather than accepting rampant piracy of PI and leaving hapless users to their own devices. The sorts of privacy intrusions that Facebook foists on its users are not intrinsic. Facebook doesn't have to construct biometric templates without the subjects' permission as soon as someone else tags them in photos, neither does it have to continuously run those biometric templates over third party photo data (probably uploaded for other reasons). Facebook could if it desired delete the biometric templates when users ask for tags to be removed, or at the very least alert users to what's going on in the backiground with photo tags. If photo tagging was just for the fun of the users, rather than commercial exploitation, Facebook would promise in its Privacy Policy not to put biometric templates to secondary purposes. But no, Facebook doesn't even mention these things in its Policy.
Some of us -- including both Manjoo and me -- have realised that everything Facebook does is calculated to extract commercial value from the Personal Information it collects and creates. But I don't belittle Facebook's users for falling for the trickery.
Posted in Social Networking, Social Media, Privacy, Internet, Culture
Other thoughts on Real Names
I'm going to follow my own advice and not accept the premise of Google's and Facebook's Real Names policy that it somehow is good for quality. My main rebuttal of Real Names is that it's a commercial tactic and not a well grounded worthy social policy.
But here are a few other points I would make if I did want to argue the merits of anonymity - a quality and basic right I honestly thought was unimpeachable!
Nothing to hide? Puhlease!
Much of the case for Real Names riffs on the tired old 'nothing to hide' argument. This tough-love kind of view that respectable people should not be precious about privacy tends to be the preserve of middle class, middle aged white men who through accident of birth have never personally experienced persecution, or had grounds to fear it.
I wish more of the privileged captains of the Internet could imagine that expressing one's political or religious views (for example) brings personal risks to many of the dispossessed or disadvantaged in the world. And as Identity Woman points out, we're not just talking about resistance fighters in the Middle East but also women in 21st century America who are pilloried for challenging the sexist status quo!
Some have argued that people who fear for their own safety should take their networking offline. That's an awfully harsh perpetuation of the digital divide. I don't deny that there are other ways for evil states to track us down online, and that using pseudonyms is no guarantee of safety. The Internet is indeed a risky place for conducting resistance for those who have mortal fears of surveillance. But ask the people who recently rose up on the back of social media if the risks were worth it, and the answer will be yes. Now ask them if the balance changes under a Real Names policy. And who benefits?
Some of the Internet metaphors are so bad they’re not even wrong
Some continue to compare the Internet with a "public square" and suggest there should be no expectation of privacy. In response, I note first of all that the public-private dichotomy is a red herring. Information privacy law is about controlling the flow of Personally Identifiable Information. Most privacy law doesn't care whether PII has come from the public domain or not: corporations and governments are not allowed to exploit PII harvested without consent.
Let's remember the standard set piece of spy movies where agents retreat to busy squares to have their most secret conversations. One's everyday activities in "public" are actually protected in many ways by the nature of the traditional social medium. Our voices don't carry far, and we can see who we're talking to. Our disclosures are limited to the people in our vicinity, we can whisper or use body language to obfuscate our messages, there is no retention of our PII, and so on. These protections are shattered by information technologies.
If Google's and Facebook's call for the end of anonymity were to extend to public squares, we'd be talking about installing CCTVs, tatooing peoples' names on their foreheads, recording everyone's comings and goings, and providing those records to any old private company to make whatever commercial use they see fit.
Medical OSN apartheid
What about medical social networking, which is one of the next frontiers for patient centric care, especially of mental health. Are patients supposed to use their real names for "transparency" and "integrity"? Of course not, because studies show participation in healthcare in general depends on privacy, and many patients decline to seek treatment if they fear they will be exposed.
Now, Real Names advocates would no doubt seek to make medical OSN a special case, but that would imply an expectation that all healthcare discussions be taken off regular social circles. That's just not how real life socialising occurs.
Anonymity != criminality
There's a recurring angle that anonymity is somehow unlawful or unscrupulous. This attitude is based more on guesswork than criminology. If there were serious statistics on crime being aided and abetted by anonymity then we could debate this point, but there aren't. All we have are wild pronouncements like Eugene Kaspersky's call for an Internet Passport. It seems to me that a great deal of crime is enabled by having too much identity online. It's ludicrous that I should hand over so much Personal Information to establish my bona fides in silly little transactions, when we all know that data is being hoovered up and used behind our backs by identity thieves.
And the idea that OSNs have crime prevention at heart when they force us to use "real names" is a little disingenuous when their response to bullying, child pornography, paedophilia and so on has for so long been characterised by keeping themselves at a cool distance.
What’s real anyway?
What’s so real about "real names" anyway? It's not like Google or Facebook they can check them (in fact, when it suited their purposes, the OSNs previously disclaimed any ability to verify names).
But more's the point, given names are arbitrary. It's perfectly normal for people growing up to not "identify with" the names their parents picked for them (or indeed to not identity with their parents at all). We all put some distance between our adult selves and our childhoods. A given family name is no more real in any social sense than any other handle we choose for ourselves.
Posted in Social Media, Security, Privacy, Nymwars, Internet, Identity, e-health, Culture, Social Networking
Real names is real sly
In a favorite West Wing episode, the press secretary advises VP running mate Leo McGarry that he doesn't have to "accept the premise of the question". Let's remember this when engaging with the self-appointed social scientists and public policy makers at Google, Facebook et al who insist we use "real names" on the Internet.
It's terrific that Google’s Real Names policy has been soundly rebutted so widely, with earnest and worthy defences of the right to anonymity. I especially like the posts by Identity Woman, Dana Boyd, and Alexis Madrigal at The Atlantic who compellingly relates how his own position shifted on the questions as he thought them through.
But at the same time I am disappointed so many defenders of freedom have been drawn into arguing the pros and cons of "transparency". The Namesake infographic (which dates from May, before the Real Names furore broke out, and was reprised by Mashable last week) dumbs down the debate by accepting it as a fight between extremes. Frustratingly, it grants legitimacy to Zuckerberg’s mad ideas that having two identities shows a lack of integrity.
As an aside, using the label "transparency" sub-textually reframes identity with a pro-Real Names bias, especially when juxtaposed against "anonymity" which sounds shady. Is it really fair to call it "transparency" when forcing people to reveal more than is necessary about themselves when they’re socialising?
This issue is really not about transparency at all. Let’s say loud and clear: the Real Names policies of Facebook and Google+ are self-serving commercial tactics intended to maximise the commercial value of their networked stores of Personal Information.
Obviously these informopolies add more value to their network data when they can index it with precision. The use of multiple personae disaggregates the metadata held by OSNs and reduces its value to advertisers and all other PI pirates. In fact reserving the right for individuals to disaggregate their PI is one of the cornerstones of information privacy. Thus in Australia we forbid businesses from reusing government-issued identifiers like Medicare numbers and driver license numbers.
We should not accept the premise that a Real Names policy serves any user-positive purpose, like "transparency", or that it forces better integrity in how people conduct themselves socially. The idea that bloggers are less than honest when not named is, ironically, utterly devoid of social nuance. At every turn, we instinctively compartmentalise our personae, revealing what matters when we interact in different circles – home, work, social, medical – and instinctively holding back what doesn't.
"Online Social Networks" should not seek to change the way we socialise.
We must not allow gurus like Zuckerberg get away with self-serving philosophies like 'we all have one true identity'. He really has no deep insights into the human condition. What he has is a mind-boggling personal fortune based entirely on knowledge about people he has harvested on largely false pretences, and which is diluted when those people are allowed to name themselves socially as they do in real life.
Posted in Privacy, Nymwars, Language, Internet, Identity, Culture, Social Networking
A new Declaration of Identity
July 4th saw the release of the "Declaration of Identity". It's clever and emotive (at least for Americans). And maybe it's not supposed to be taken too seriously, but it seems to be another example of the complicating generalisations that I think distract from the real problem: How to make safe the perfectly good identities we already have when we go online?
The declaration asserts "sovereignty over free and independent determination and expression of innate identity".
Call me pedantic, but it's not quite right. Digital Identities are proxies for various relationships we have, each of which is almost always framed by the Relying Party, for it is the RP that wears most risk when identification goes wrong. Digital identity might be negotiable in some instances between Subject and RP/IdP, but it's just not the sort of stuff that belongs to an individual, let alone is "innate".
Identity Evolves [AusCERT Conference Presentation Abstract]
This is the abstract for my paper that has been accepted in the main program at the AusCERT 2011 Conference.
Why Federated Identity is easier said than done
AusCERT2011 | "Overexposed" | 15th-20th May 2011
Royal Pines Resort | Gold Coast, Australia
http://conference.auscert.org.au/conf2011
Abstract
Why does digital identity turn out to be such a hard problem? People are social animals with deep seated intuitions and conventions around identity, but exercising our identities online has been hugely problematic.
In response to cyber fraud and the password plague, there has been a near universal acceptance of the idea of Federated Identity. All federated identity models start with the intuitively appealing premise that if an individual has already been identified by one service provider, then that identification should be made available to other services, to save time, streamline registration, reduce costs, and open up new business channels. It’s a potent mix of supposed benefits, and yet strangely unachievable. True, we can now enjoy the convenience of logging onto multiple blogs and social networks with an OpenID or an unverified Twitter account. But higher risk services like banking, e-health and e-government have steadfastly resisted federation, maintaining their own identifiers and sovereign registration processes.
This paper shows that Federated Identity is in fact a radical and deeply problematic departure from the way we do business. It complicates long standing business arrangements and exposes customers and service providers alike to brand new risks which existing contracts are unable to deal with. Federated identity naively fails to understand that identities are proxies for relationships we have in different contexts. Business relationships don’t easily “interoperate”. They can’t be arbitrarily tweaked to suit different contexts, because each relationship has evolved to fit a particular niche. While the term identity “ecosystem” is fashionable, genuine ecological thinking has been lacking. The alternative presented here is to faithfully conserve business contexts and replicate existing trusted identities when we go from real world to digital, without massively re-engineering proven business rules and risk management strategies.
A still unproven idea
The past decade is littered with earnest identity initiatives that failed to get off the ground (including at least three in Australia alone) and security industry consortia that over-promised and under-delivered. We’ve endured endless deconstructions of “trust” and theoretical dissertations on “identity” but none of this work has led to the sort of breakthrough that’s desperately needed. Online identity fraud continues to grow. The direct cost is hundreds of billions of dollars globally; the indirect cost includes a malaise inhibiting such truly transformative initiatives as e-health.
In spite of its conspicuous failures and the revolving door of technical working groups, Federated Identity has become an orthodoxy. The US federal government’s proposed National Strategy for Trust Identities in Cyberspace (NSTIC) takes federation as a given. Its central tenets such as the pigeonholing of identification risk into four generic “trust levels” have been standardised in SAML and productised, but not yet realised.
Hidden complexities
If we take a closer look, we can see that nothing like Federated Identity has ever been done before. The proposition that banks, telcos, universities and governments should act in the open as “Identity Providers” is not something these institutions have contemplated outside their own closed business contexts.
Most federation initiatives hold out self-evidently noble objectives like “interoperability”, “openness” and the eradication of “silos”. Yet these feel-good words don’t stand up to scrutiny. Federation implies widespread changes to business rules and risk management arrangements, which lawyers and legislators have yet to come to grips with. Consider that banks have long established (and highly regulated) protocols for identifying customers. Introducing new third party identity providers and new enrolment pathways is a true paradigm shift, demanding untold revision of conventions, contracts and legislation.
The benefits of decentralisation claimed of Federated Identity are largely illusory. It is good for privacy and security that federation generally deprecates any one master ID, but it introduces legally novel intermediaries and new aggregations of personal information. For instance, in order to provide for “verified anonymity”, Federated Identity has customers enrol with brand new Identity Providers, handing over bulk personal information to them, only so that it may be withheld from service providers.
A simpler way forward
It is often said that identity management is “not a technology issue”. The statement is both right and wrong. The biggest challenges in federated identity are certainly not technological; rather, they relate to risk allocation in an unprecedented joined-up matrix which changes the legal fundamentals of how we do business. On the other hand, the pressing problems of ID theft and fraud really are technologically straightforward.
We all agree that identities are context dependent; the deeper truth is that identities are proxies for complex relationships that have evolved to fit distinct niches in the identity ecosystem. As with real life ecology, characteristics that bestow fitness in one niche can work against the organism in another. Thus the derided identity “silos” are a natural and inevitable consequence of how business rules are matched to particular contexts.
We need to avoid complicated generalisations about identity, and instead focus on simplifying assumptions. The password plague is only a problem because traditional access control was devised for technicians; consumer authentication simply needs better human-machine interfaces.
The real problem lies not in existing identity issuance processes; it’s to do with the way perfectly good identities once issued are taken ‘naked’ online where they’re vulnerable to takeover and counterfeiting. If we focussed on conserving context and replicating existing real world identities in non-replayable forms, most routine transactions could take place safely online, without the incalculable cost of re-engineering proven business arrangements.
Posted in Smartcards, Security, Privacy, Internet, Identity, Fraud, Culture
Identity is dead! Long live identity!
While the post mortems of Cardspace and OpenID continue, surely the elephant in the room is the whole federated identity project. Empirically, federated identity has proven to be easier said than done. In Australia alone at least four well funded projects foundered. Internationally there’s been a revolving door of industry groups and standards development, all well intended, but none of them yet cutting through. Like Simplified (nee Single) Sign On, federated identity chronically over-promises and under-delivers.
Aren't the woes of Cardspace and OpenID intimately connected to the federated identity paradigm? And don't they bode ill for the National Strategy for Trusted Identities in Cyberspace? We need to make the connections if the grand plans for identity are to succeed.
I call for a more critical appraisal of federated identity. We’ve been mesmerised en masse by an easy intuition that if I am known by a certain identity in one circle, then I should be recognisable by more or less the same identity in other circles. Like many intuitions, it’s simply wrong.
In brief, this is how I see the state of play as it now stands:
OpenID provides an unverified nickname to log on to websites that don’t care who you are. The same trick is achieved by easier-to-use Twitter ids or Facebook Connect, so these are proving more popular for blogs and the like. OpenID would be a mere curiosity except that it’s become the poster child of OIX and NSTIC. The Whitehouse extrapolates from the OpenID model to imagine that once you have an identity from a phone company or university you should be able to use it to log on to your bank.
The weird and wonderful Laws of Identity speak of deep truths about digital identity such as context, and they forcefully make the case for each of us exercising a plurality of identities, and never just one. The Laws expose the abstract roles of Identity Provider and Relying Party in what regular organisations like banks and governments do for their customers. Yet few if any of these institutions have been convinced by the Laws to openly embrace these roles, mainly because nobody has yet worked out a palatable way of allocating liability in multilateral brokered identity arrangements, without re-writing the contracts that currently govern how we buy, bank and access government services.
Cardspace is by turns a wondrous graphical user interface, and an implementation of the Identity Metasystem.
The Identity Metasystem is a utopian vision aiming high to enable stranger-to-stranger e-business. Ironically it’s a lot like the Big PKI of old in that it seeks to establish “trust” online. It inserts new players into what were previously tightly managed bilateral transactions, and changes the roles and risk profiles of conservative businesses like banks. In short, the Identity Metasystem is a radical change to how parties transact.
And finally all these new players and sub-plots are supposed to be parts of an “Identity Ecosystem”, and not merely isolated products & services in the next generation of a growing information security marketplace. The trouble here is that real ecosystems evolve rather than being architected. Artificial ecosystems like tropical aquariums and botanical gardens need constant care, attention and intervention to save them from collapse. Time will tell how the identity ecosystem fares if it's ever left to its own devices.
I have analysed different parts of the struggle for identity in greater detail elsewhere in my blog. To summarise:
- 1. The evidence plainly shows that federation is harder than it looks; the reason is probably sheer legal novelty.
- 2. Federated identity is founded on and explained to lay people in terms of superficially attractive metaphors like the passport that prove to be inaccurate and misleading, bordering on fictional.
- 3. Contrary to intuition, reducing the number of identities too far actually increases the total cost of ownership.
- 4. Many aspects of the identity metasystem are over-engineered.
- 5. The major problem in cyber space is prosaic and does not merit re-imagining how we conduct business; it is simply that the perfectly good identities we already have lose their pedigree when we take them casually from real world to digital.
- 6. To make progress we need more simplifying assumptions, and fewer complicating generalisations.
- 7. And we probably need a fresh frame for understanding how identities evolve in extant natural social ecosystems, so that we do a better job telling which identities are amenable to federation across contexts and which are best left alone in their current ecological niches.
And so in my view, the federated identity effort turns what really are straightforward technological problems -- the password plague and identity theft -- into intractable business and legal problems.
As the security marketplace absorbs the lessons of Cardspace and OpenID, for sure there will be fresh life breathed into digital identity.
Posted in Federated Identity, Culture, Identity