Catching on slowly to identity plurality
Stephen Wilson's Babysteps
Ideas to demystify identity, privacy, authentication and safety online.
We should be in the middle of a true paradigm shift, to a new worldview based on a plurality of identities. The Laws of Identity point with great clarity to the reality that we each lay claim to a suite of identities. My own work in PKI over the years (see e.g. Public Key Superstructure) has led to a firm belief in the usefulness of multiple digital certificates, mapping on to multiple real worl identities.
And yet at the NIST IDtrust symposium recently, we saw evident resistance on the part of many speakers towards the idea ofidentity plurality. For instance, when asked about alternate identities, many speakers almost reflexively referred to these as "dopplegangers" or "evil twins" as if alternate identities were necessarily dubious or nefarious. It is also telling that OpenID in its first incarnation presumed one ID fits all, and had no allowance for multiple IDs (or what the Laws refer to as "directed identity").
So why is it taking so long for identity plrality to catch on?
I have come to believe that the IT world has been saddled for years with the tacit assumption that deep down we each have one “true” identity, and that the proper way to resolve rights and responsibilities is to render that identity as unique; that is, to get to the bottom of who the person “really is” before bobbing back up and checking what role they are acting in. But this search for the “real” identity can go too far.
When it does, it can expose far more of our selves than is warranted, and it can make it fiendishly difficult to disentangle our digital lives. The “singular identity” paradigm has had a deep and unhelpful influence on smartcards, biometrics, and the seductive federated identity movement.
Federated identity is a sort of mash-up of the things that are known about us in different contexts. It's not at all clear to me that "federated identity" is a universally good result. Too often, the end point of "federating" one’s identities is a single definitive statement of who you “really” are.
To illustrate their points, proponents of federated identity frequently cite drivers’ licences and the way they’re presented to bootstrap a new relationship, the classic case being when one opens a new video store account. In these sorts of use cases there is a pervasive belief in the primacy of one "true" identity.
And there is a serious category error when the real world experience of identity cards is extended superficially to federated ID. A driver licence might evince your “identity” when joining a video store but it does not persist in that relationship. It does not become your identity as a video store member. For that, you will receive a new membership card, and the driver licence is never sighted again. Think about it: would we be so comfortable with a video store that asked to see our driver licence every single time we rented a movie? In general we don't like having our "true" identity flaunted so often -- it feels invasive and it is unnecessary.
A less trivial example is your identity as an employee of Company X. The HR department may want to see your driver licence on your first day on the job, but that’s mainly to make sure they get your legal name correct. Thereafter, you carry an ID badge for Company X, which is your identity in that context. You don’t present your driver licence to get in the door of your workplace.
The question asked by federated ID is: How many identities do we really need? And all too frequently the answer comes out as only one!
The alternative view, exemplified in the Laws of Identity, is that each of us actually exercises a portfolio of separate identities, switching between them in different contexts. This is not an academic distinction; it really makes a big difference where you draw the line on how much you need to know to set a unique identity.
I remember once visiting my bank to deposit cheques into my business account. It happens that my personal account was at the same institution, and they had without telling me “federated” my multiple identities. The teller asked me which account I wanted the cheques to go to - my mortgage, my credit card or my debit account? I was truly shocked, especially as I had handed over the corporate key card. The cheques were not for me, Stephen Wilson, they were made out to my company. The fact that I am a signatory to the company bank account is completely immaterial to the arrangement that treats the company as a different entity. There is centuries of company law that tells us that the identity of the corporation is not the same thing as the identity of any of its employees.
Kim Cameron knows that his relativist definition of identity (“a set of claims made by one digital subject about itself or another digital subject”) might be unfamiliar tio the mainstream; he recognises that it “does not jive with some widely held beliefs - for example that within a given context, identities have to be unique”.
When you change jobs, you really do have a new workplace identity. Likewise, one’s identity as a bank account holder is quite different from one’s identity as an employee. Try this thought experiment: your identity as an employee is suddenly destroyed when you are made redundant. How would you like your bank to know about this state of affairs before you’ve had a chance to make plans, evaluate your options, get another job? Your right to privacy could be deeply affected in a world where we arbitrarily hang different “roles” off the one uber identity.
Ironically I suspect that the singular identity paradigm is a child of the computer age. Before the Internet and before the advent of IdM, we lived happily in a world of plural identities - citizen, spouse, employee, customer, account holder, another account holder, patient, club member, another club member and so on ad infinitum. It was only after we started getting computer accounts that it occurred to people to think in terms of one “true” identity plus a constellation of “roles”; or to use the orthodox jargon, one authentication followed by multiple authorisations. So the irony is that very modern advances like the Laws of Identity might take us back to the way identities were before the Internet.
The thing about paradigms -- and one of the tests for whether or not the infamous "p word" is being applied properly -- is that they can have implications that go completely unchallenged by the mainstream. By way of example, let’s consider the possibility that the singular identity paradigm has enabled, without anyone noticing, the rather too easy acceptance by security experts of biometrics.
The idea of biometric authentication plays straight into the orthodox world view that each user has one “true” identity. The widespread intuitive appeal of biometrics must be based on an idea that what matters in all transactions is the biological organism. But it’s not. In most real world transactions, the “role” is all that matters, and it’s only under rare conditions of investigating frauds that we go to the forensic extreme of locating the organism.
There are huge risks if we go and make the actual organism central to routine transactions. It would make everything intrinsically linked, implicitly violating Privacy Principle No. 1: Don’t collect personal information if it’s not required.
It is an interesting question to ponder why the security community, which is usually proud of its caution, is so willing to embrace so quickly the risks of biometrics. Biometrics perform way short of what one would expect if it were true, as typically claimed, that they're based on "unique" traits. Compared with PIN numbers biometrics are actually really lousy: 2 or 3 per cent False Match Rate compared with 0.03 per cent for a four digit PIN with three retries.
They're usually advocated for convenience as well as (or instead of) security, but on that score they're still problematic. Confirmation times can be a minute or more for commercial solutions (according to UK Customs Service testing); some years ago Disney World in Florida decommissioned their hand scan turnstiles because they couldn't get the response time down below 10 seconds. Worst of all from a security point of view is the sheer impossibility of recovering from identity theft, since no known commercial biometric can be revoked and re-issued.
The irrational attraction of biometrics -- in the face of their very modest properties and their fatal flaws in respect of revocability -- may be because we’ve been inadvertently seduced by the relatively new idea that a single identity would be sensible.