Identity In A World Without Secrets (Part 1)…

Share

What does “identity” mean?…

That’s not as easy a question as it may seem at first.

While our gut level definition might be along the lines of “who a person is”, that would certainly be too broad to be useful. A more reasonable definition for identity might be “a list of the unique attributes and characteristics associated with a person”. In practical terms, our “identity” is the collection of ways other people use to recognize us.

And that makes identity perceptual – not absolute…

In direct social interactions, “identity” is a well understood concept. Typically, we establish our identity in one of two ways. When dealing with a person we know, our relationship with them allows them to vouch for us directly. This is personal trust. When dealing with people we don’t know, it becomes necessary for someone else that they know and trust to vouch for us instead. This is assigned trust. Since there is little likelihood that a trusted individual will always be around to vouch for us, assigned trust usually involves some type of proxy – typically in the form of a hard-to-get credential from a respected institution. Passports, state drivers licenses, and military ID’s are common examples. Assigned trust allows people to accept that the identity given to them by another institution is accurate without having to verify any information directly.

While not foolproof, this process works exceptionally well. Not only does the credential require some type of verification before being issued, it also needs to be presented physically when used, and any details on it need to match the presenter. It’s a simple but effective model that has been able to scale up to a global level.

Unfortunately, identity in the online world is far less mature…

While trusted authorities do exist online, none of them play more than a niche role in establishing identity. Companies may issue identity certificates to their employees so they can access internal resources and systems – but they carry no weight or significance anywhere else. And governments – the largest trust authorities in the physical world – play no role at all in online identity.

The sad fact is that online identity comes down to two fragile things.

Knowledge and secrets…

To establish my identity in the online world, I don’t have the option to use a certificate or digital ID. Instead, I am asked to provide detailed information about myself – things like my social security number, mother’s maiden name, favorite pet, or current employer. The logic behind this approach is that the things I am being asked for are not well known. Collectively, they are supposed to represent a “secret” – knowledge shared just between myself and the entity that is asking for it.

But like most people, I don’t just have a single trust based relationship online. And since there is no central trust authority, every trust based relationship requires that I establish my identity in a similar manner. Since they ask many of the same questions, knowledge that needs to be kept secret spreads to an increasingly broader circle. When combined with the number of copies of this information that are available in the physical, offline world, a major problem becomes apparent.

Secrets shared by too many people are no longer “secret”…

Information about us is everywhere.

First is the information we freely share. Some people provide an incredible number of details about themselves on sites like MySpace or Facebook, and it is amazing how many additional details can be uncovered about an individual by starting with that information and digging deeper. There’s more about them floating around out there than most people realize.

And then there is the information we have to give out. Bank account numbers are at the bottom of every check that we send out. Our social security number is on all our workplace, medical and financial records, and many official government documents associated with us – some of which are available for public inspection. Our address, email, and phone numbers are required by too many people to even keep track of. Many of the ‘trivia’ questions we are asked, like “Favorite Pet” or “Mother’s Maiden Name” are also used by sites as keys to recover forgotten passwords, and are known by more friends and coworkers than we realize. There are also countless more individuals with complete access to records containing our information as a part of the jobs they do. And not all of them can be trusted.

And then there are people who simply collect this information and sell it online.

Secrets are a transparent veil offering only an illusion of security…

Anyone that knows enough things about us – things that are not that difficult to find out – can simply become us online. They can use what they do know to gain access to things they don’t yet know. They can then start changing things like addresses and contact numbers, and mold our online identity into something they can more easily use to safely access our financial assets.

And it happens all the time…

Though I’ve discussed the lack of true identity in the context of the online world, it isn’t just limited to there. Someone using a telephone (our pre-internet global network) can do many of the same things – often with the unwitting help of the person on the other end of the line that should be protecting us. In today’s world, if someone doesn’t have to show up in person and present an ID, proof of identity comes down to what they know.

And if they know our “secrets”, they must be us…

Identity is a fundamental, almost axiomatic, human right – the right to be who we are, uniquely. But beyond that more philosophical perspective, it is also an essential component of all of our key social interactions. It is the cornerstone of most commerce, and a necessary ingredient of the increasingly transactional legal frameworks we operate in.

It is at the heart of the way we function as a modern society.

And it all depends on the quixotic notion of “keeping secrets”…

To Be Continued…
In Part 2 of this post, I’ll discuss both near term and structural approaches to securing identity online, and to dealing with the rampant global problem of identity theft.