Identity Crisis…

September 9, 2009 by 12 Comments
Share

Despite the progress that is being made in web based service delivery and the general interoperability of distributed web systems, there is still one significant unaddressed deficiency that is holding back the potential of this market.

We still lack a universal means of asserting and communicating identity online.

blog-onlineidentity

It would be hard to imagine a functioning modern society without a broadly accepted means of establishing identity. And as more components of our social interactions move online, our lack of a singular, verifiable online identity is devolving from being merely cumbersome to becoming a major liability. It fractures the web into isolated communities that do not play nice together, and hinders the development of many commercial and personal forms of sharing and interaction. What’s most frustrating is that in the digital realm, universal identity is something that could be implemented in a way that’s far more convenient and efficient than any analog world equivalent.

In the physical world, identity depends on a complex network of ‘trusted agencies” that provide various levels of assurance that a person actually is who they claim to be. As individuals, we start with our birth records, and use that to begin establishing who we are. In the United States, the issuance of a birth certificate allows a person to get a uniquely identifying social security number. Issued by the federal government, this social security number is then used by schools, financial institutions, employers, and other government agencies as a means of linking records to that specific individual. These records build up on an historical basis to provide a comprehensive picture of who a person is.

Pieces of this historical record can be used as forms of identification: utility bills, bank statements, active credit cards, a driver’s license, a passport. Some ‘higher’ forms of identification are based on having multiple ‘lesser’ forms of identification. For example, getting a driver’s license in some states requires at least 4 other forms of identification. Because getting these higher forms of identification involve a more rigorous verification process, they often become a more broadly accepted means of establishing identity. For instance, if an institution trusts the screening process done by a state to issue a driver’s license, they can simply accept the license as a form of ID.

For an identity system to work in the real world, it is essential that the sources that need to check identity have trust in the sources that are issuing the identity information. While not originally intended as such, government issued passports and driver’s licenses have become the most trusted forms of identity in our society. As a practical matter, our government has become the ‘trust authority’ for establishing identity in the physical world.

Identity is a key element of so many things government is responsible for – immigration, taxation, permits, licensing, contracts, security, law enforcement, and social programs. Given the key role that government already plays in establishing identity, they are the logical body to address this issue in the online space. This is not an area that benefits from competition. Individuals need to be able to claim their digital identity once – for minimal cost – and have it accepted universally.

Probably the biggest obstacle standing in the way of having the government take on the role of issuing digital identity is the erosion of trust we have in the motives and integrity of our elected representatives. That won’t be easy to change, but establishing clearer regulations around online privacy, ownership of information, and protections from government snooping and misuse could go a long way to making government involvement in this space more acceptable.

We really don’t have another choice.

As we increasingly become a digital society, we can’t continue to ignore the importance of digital identity. What a I am advocating is letting the government issue digital certificates with public/private key pairs that would have the same legal recognition as a notarized signature does today. That’s it. The free markets can take it from there.

It’s been proven time and again that no society can flourish without a foundation of strong personal property rights. And the most fundamental element of personal property rights is your identity.

We need to act.

Filed Under: Posts Tagged With: , , , ,

Identity In A World Without Secrets (Part 1)…

July 8, 2008 by Leave a Comment
Share

What does “identity” mean?…

That’s not as easy a question as it may seem at first.

While our gut level definition might be along the lines of “who a person is”, that would certainly be too broad to be useful. A more reasonable definition for identity might be “a list of the unique attributes and characteristics associated with a person”. In practical terms, our “identity” is the collection of ways other people use to recognize us.

And that makes identity perceptual – not absolute…

In direct social interactions, “identity” is a well understood concept. Typically, we establish our identity in one of two ways. When dealing with a person we know, our relationship with them allows them to vouch for us directly. This is personal trust. When dealing with people we don’t know, it becomes necessary for someone else that they know and trust to vouch for us instead. This is assigned trust. Since there is little likelihood that a trusted individual will always be around to vouch for us, assigned trust usually involves some type of proxy – typically in the form of a hard-to-get credential from a respected institution. Passports, state drivers licenses, and military ID’s are common examples. Assigned trust allows people to accept that the identity given to them by another institution is accurate without having to verify any information directly.

While not foolproof, this process works exceptionally well. Not only does the credential require some type of verification before being issued, it also needs to be presented physically when used, and any details on it need to match the presenter. It’s a simple but effective model that has been able to scale up to a global level.

Unfortunately, identity in the online world is far less mature…

While trusted authorities do exist online, none of them play more than a niche role in establishing identity. Companies may issue identity certificates to their employees so they can access internal resources and systems – but they carry no weight or significance anywhere else. And governments – the largest trust authorities in the physical world – play no role at all in online identity.

The sad fact is that online identity comes down to two fragile things.

Knowledge and secrets…

To establish my identity in the online world, I don’t have the option to use a certificate or digital ID. Instead, I am asked to provide detailed information about myself – things like my social security number, mother’s maiden name, favorite pet, or current employer. The logic behind this approach is that the things I am being asked for are not well known. Collectively, they are supposed to represent a “secret” – knowledge shared just between myself and the entity that is asking for it.

But like most people, I don’t just have a single trust based relationship online. And since there is no central trust authority, every trust based relationship requires that I establish my identity in a similar manner. Since they ask many of the same questions, knowledge that needs to be kept secret spreads to an increasingly broader circle. When combined with the number of copies of this information that are available in the physical, offline world, a major problem becomes apparent.

Secrets shared by too many people are no longer “secret”…

Information about us is everywhere.

First is the information we freely share. Some people provide an incredible number of details about themselves on sites like MySpace or Facebook, and it is amazing how many additional details can be uncovered about an individual by starting with that information and digging deeper. There’s more about them floating around out there than most people realize.

And then there is the information we have to give out. Bank account numbers are at the bottom of every check that we send out. Our social security number is on all our workplace, medical and financial records, and many official government documents associated with us – some of which are available for public inspection. Our address, email, and phone numbers are required by too many people to even keep track of. Many of the ‘trivia’ questions we are asked, like “Favorite Pet” or “Mother’s Maiden Name” are also used by sites as keys to recover forgotten passwords, and are known by more friends and coworkers than we realize. There are also countless more individuals with complete access to records containing our information as a part of the jobs they do. And not all of them can be trusted.

And then there are people who simply collect this information and sell it online.

Secrets are a transparent veil offering only an illusion of security…

Anyone that knows enough things about us – things that are not that difficult to find out – can simply become us online. They can use what they do know to gain access to things they don’t yet know. They can then start changing things like addresses and contact numbers, and mold our online identity into something they can more easily use to safely access our financial assets.

And it happens all the time…

Though I’ve discussed the lack of true identity in the context of the online world, it isn’t just limited to there. Someone using a telephone (our pre-internet global network) can do many of the same things – often with the unwitting help of the person on the other end of the line that should be protecting us. In today’s world, if someone doesn’t have to show up in person and present an ID, proof of identity comes down to what they know.

And if they know our “secrets”, they must be us…

Identity is a fundamental, almost axiomatic, human right – the right to be who we are, uniquely. But beyond that more philosophical perspective, it is also an essential component of all of our key social interactions. It is the cornerstone of most commerce, and a necessary ingredient of the increasingly transactional legal frameworks we operate in.

It is at the heart of the way we function as a modern society.

And it all depends on the quixotic notion of “keeping secrets”…

To Be Continued…
In Part 2 of this post, I’ll discuss both near term and structural approaches to securing identity online, and to dealing with the rampant global problem of identity theft.

Filed Under: Posts Tagged With: , , , , , ,