I was talking with government identity strategists earlier this week. We were circling (yet again) definitions of identity and attributes, and revisiting the reasonable idea that digital identities are "unique in a context". Regular readers will know I'm very interested in context. But in the same session we were discussing the public's understandable anxiety about national ID schemes. And I had a little epiphany that the word "unique" and the very idea of it may be unhelpful. I wonder if we could avoid using the word "uniqueness" wherever we can.
The link from uniqueness to troublesome national identity is not just perception; there is a real tendency for identity and access management (IDAM) systems to over-identify, with an obvious privacy penatly. Security professionals feel instinctively that they more they know about people, the more secure we all will be.
Whenever we think uniqueness is important, I wonder if there are really other more precise objectives that apply? Is "singularity" a better word for the property we're looking for? Or the mouthful "non-ambiguity"? In different use cases, what we really need to know can vary:
- Is the person (or entity) accessing service the same as last time?
- Is the person exercising a credential clear to use it? Delegation of digital identity actually makes "uniqueness" moot)
- Does the Relying Party (RP) know the user "well enough" for the RP's purposes? That doesn't always mean uniquely.
I observe that when IDAM schemes come loaded with reference to uniqueness, it's tends to bias the way RPs do their identification and risk management designs. There is an expectation that uniqueness is important no matter what. Yet it is emerging that much fraud (most fraud?) exploits weaknesses at transaction time, not enrollment time: even if you are identified uniquely, you can still get defrauded by an attacker who takes over or bypasses your authenticator. So uniqueness in and of itself doesn't always help.
If people do want to use the word "unique" then they should have the discipline to always qualify it, as mentioned, as "unique in a context". But I have to say that "unique is a context" is not "unique".
Finally it's worth remembering that the word has long been degraded by the biometrics industry with their habit of calling most any biological trait "unique". There's a sad lack of precision here. No biometric as measured is ever unique! Every mode, even iris, has a non zero False Match Rate.
What's in a word? A lot! I'd like to see more rigorous use of the word "unique". At least let's be aware of what it means subliminally to the people we're talking with - be they technical or otherwise. With the word bandied around so much, engineers can tend to think uniqueness is always a designed objective, and laypeople can presume that every authentication scheme is out to fingerprint them. Literally.
Under new Prime Minister Malcolm Turnbull, innovation for once is the policy du jour in Australia. Innovation is associated with risk taking, but too often, government wants others to take the risk. It wants venture capitalists to take investment risk, and start-ups to take R&D risks. Is it time now for government to walk the talk?
State and federal agencies remain the most important buyers of IT in Australia. To stimulate domestic R&D and advance an innovation culture, governments should be taking some bold procurement risk, punting to some degree on new technology. Major projects like driver licence technology upgrades, the erstwhile Human Services Access Card, the national broadband roll-out, and national e-health systems, would be ideal environments in which to preferentially select next generation, home-grown products.
Obviously government must be prudent spending public money on new technology. Yet at the same time, there is a public interest argument for selecting newer solutions: in the rapidly changing online environment, citizens stand to benefit from the latest innovations, bred in response to current challenges.
What do entrepreneurs need most to help them innovate and prosper? It's metaphorical oxygen!
Too often, innovative entrepreneurs are met with the admonition you’re only trying to sell us something. Well yes we are, but it's because we believe we have something to meet real needs, and that customers actually need to buy something.