An
Introduction to
Digital Identity
last updated on
January 19, 2003
An
Introduction to
Digital Identity
last updated on
January 19, 2003
Trust is related to, but distinct from, reliability, mutuality, faith, and co-operation. We trust someone when we rely upon him. Yet trust is not the same as routine or predictability. We may rely on a bus turning up, but few of us would say we trust the bus to come. In contrast, we rely on a friend’s collecting us from the railway station because he has promised to do so. We trust the friend and feel let down, betrayed even, when he fails to do what he has promised; this is a different order of feeling from the disappointment we feel when the bus does not turn up on time. Trust involves our relying on other people when there is a risk that we might be let down or disappointed. When we trust someone, we make ourselves vulnerable to that person. Trusting involves taking a risk that one might be let down.1
There are many different conceptions of Identity Management. Some seek an identity
framework of predictable reliability. Some seek an identity framework of trust – a
far more difficult task.
The story goes that there was once a most unusual ape in the jungle. Then, one day, an explorer happened upon this unusual ape. And the ape became known as Tarzan of the Apes. Then, some time later, they realized that Tarzan was the son of an English couple and he was brought “home.” But the people at home didn’t quite trust this “Englishman” raised in the jungle.
We grow up navigating through our social world much as a fish navigates through water – we don’t notice the water while we’re alert to danger in that water. The topic of Identity Management is very much about how to detect danger (risk) and avoid it. But we need to understand the water before we can improve our ability to detect risk in it. Key aspects of the “water” of identity are communities, the roles that individuals may have within those communities and how those communities may interact or overlap. Within our daily life we navigate through our various roles within various communities without much thought – its intuitive. One goal, perhaps, is to move toward a more intuitive navigation through our digital communities2 with our digital identities.
Part of the draw of the Tarzan story is that its about this child growing up outside his community and then each side rediscovering the connection. The purpose of a birth certificate is really to provide an identification within a community – this mother identified herself at this facility and the facility (e.g. hospital) links her identity to that of the infant (and links any other identities that are presented as linked, e.g. father). And that community membership implies one or more roles within that community (parent/child, citizenship based on rules, etc.)3.
Over time, that infant goes to school, is in this class at this school, gets these grades. Then the family moves and the child goes to this other school, this other class, gets these grades. Later comes the ritual of getting a driver’s license. Proof of identity is….? Well, once upon a time the proof was the local issuer of the license knowing the applicant (or at least the family), one’s identity was embedded in the community’s direct knowledge of you. But now, much as banks once sent letters of introduction with a traveler so they could gain funds from a sister bank, we often rely on identity documents (credentials) provided by a distant community (or at least a community disconnected from the one needing identity proofing).
So identity is not only linked to a community but to one or more roles in that community (with the minimum role being a member of the community). As noted, even a birth certificate establishes roles based on relationships within a community - parent/child, citizenship based on rules, etc. By itself, the birth certificate does not necessarily establish identity4.
Several other types of documents establish or certify specific relationships and roles within communities: marriage license, bank account and debit/credit cards, property title or lease, U.S. Postal Service registered PO box or street address, employment contracts and delegation of authority, court documents (both criminal & civil with various outcome communities - felon, bankruptcy, divorce, etc), and death certificate.
Background checks explore that web of communities that a person is linked to. The policy framework used to determine the amount and scope of individual background information to be explored by a system based background check and how inappropriate access is prevented (and dealt with when discovered) is an important policy issue for Identity Management Systems. How does the system of identity management determine and appropriately manage access to and confidentiality of identity information (privacy and security policies with enforcement of the policies5)?
We currently have multiple forms of identity to establish our multiple roles in multiple communities. With my debit and credit cards I am a consumer with digital cash. With my driver’s license, I am a qualified driver registered in the state. With my employee badge, I’m an employee with access to certain areas and organizational resources (information systems, employee lounge, discounts on consumer items that the employer has negotiated) and there are procedures for changing that as my role changes. With my voter registration card, I can provide evidence of being eligible to vote. With my health insurance card, I’m recognized as being a member with certain eligibilities and certain co-pay fee schedules. The health insurer will need to also recognize my doctor, my pharmacy, my hospital, etc. They will each need to recognize each other and to manage who sees what information in my medical status and history (internal and external management of health service information).
With these various individual identity management systems in place, what does a uniform identity management system accomplish? Why is one needed? What are the intended consequences? What will be the unintended consequences? What are the alternative approaches?
Most authentication in current systems relies on direct contact within a community, reliable identification by other communities (“two picture ID’s please”) or on obscure personal information (on the idea that only the individual would know his mother’s maiden name, their social security number or credit card expiration date as well as the credit card number, etc.). A common, shared system may abolish obscurity of that personal information and may quickly lead to circular identification processes unless we carefully incorporate an understanding of community and role into our consideration of identity.
Iowa has begun an innovative Identity-Security Project. They are working to create a clearing house where the various documents used to create identity (birth certificate, death certificate, driver’s license, marriage license, social security number) can be linked. Then mechanisms can be developed to track attempts at identity theft as well as allow agencies to cross-link identity verification. Perhaps the citizen will eventually be able to update his identity information across a range of participating agencies with a single change.
At the point of issuance for a social security number and DOT-issued driver’s license/identity card (hereafter called ID), the birth certificate presented as proof of identity could be referenced against a state birth certificate database. If the birth certificate is valid and no other ID’s have been issued from it, the birth certificate would be linked to ID’s issued from it. The birth certificate record would also be electronically tied to the DOT photo database.
This has three advantages:
…The end result would be a system that incorporates individuals, picture ID, processes, documentation, and identity.
- When an ID is then presented in certain situations calling for strict security, a check could be run against the face database stored by DOT and identity could be established. (i.e. airport counter)
- Only one ID would be issued per birth certificate. This would allow easier identification of individuals attempting to falsify identity if the birth certificate is presented a second time.
- Enhanced procedures will lead to a decline of identity theft and fraud.
Draft Identity-Security Project, State of Iowa
Assuming a common identification system is possible6, the key of mapping identity with roles in a range of distinct communities (“yes, that is my credit card with that bank within the US banking system,” “yes, that is my driver’s license within the state motor vehicle and driver registration community,” “yes, that is my badge / employee# / smartcard / etc within the X employee community”) remains. After proper identification, additional constraints are likely to exist (the constraints may be the key reason for the identification). It’s my bank card but I can’t use it if I’m overdrawn; it’s my driver’s license but I shouldn’t use it without wearing my glasses; it is my employee smart card but it doesn’t get me through most secured doors unless I belong there.
It is role-based identity in a particular community that leads to an authentication which allows an authorization for whatever access or action is desired. As Iowa already recognizes, care is necessary to avoid building in single points of failure across the range of communities. Iowa contemplates an identity revocation process triggered by a death certificate. This requires some thought about how to not incorrectly cascade the rumor of Mark Twain’s death through a common identity system. It is fruitless to cancel his bank card, phone card, social security check, HMO eligibility and payroll check before the death is confirmed as the Twain and not someone with the same name and birthday7.
We began by talking about identity and trust. The level of trust to place in an identity/authentication process is specific to the community (and the explicit and implicit policies regarding the roles within the community). The identity/authentication process for one community that relies on another community’s identity/authentication process may also need to build in a means to dynamically re-authenticate the individual’s roles. A member of the other community may remain in that community but his role may change (one time identity/authentication of membership in the other community may not be sufficient -- e.g. real-time check of employee status or credit card validity).
These are issues specific to communities and their needs. Any Identity Management plan will need to attempt to describe a framework that allows the widest possible choices for these communities. It will also attempt to “nod” at social and political policy issues that shape any effort toward a common Identity Management System across the country. The core “nod” is, policy must address the questions: “What should a common Identity Management System do? And how is this done? Should there be a common framework to cross-identify (with knowledge of trustworthiness of a particular identity). How are appropriate access and confidentiality maintained within it?” Underlying those policy questions will be key privacy and security issues not unlike those affecting Internet use now8.
Whether and when knowledge of “identity” could aid in solving a problem or meeting an objective depends in part on the word’s very definition. For the purposes of this report, identity indicates sets of information (say, a database record or strongly linked system of records) about a person that can be used to tell who that person is. Confirmation (at some level of assurance) of identity is useful in contexts when one or more of the following are needed:
- knowledge (in the present) about a person’s past is sought (e.g., the use of a dossier),
- knowledge about a person in the present needs to be remembered for use in the future (e.g., the creation of a dossier),
- distinguishing between two individuals is required to prevent the possibility of mistaking one of them for the other, or
- verification of identity information provided by a third party.
Identification and/or authentication are generally used to aid in recognition when there are multiple dealings with a single individual but could also be relevant to a single experience/transaction. (Note that authentication presumes a proffered identity that needs to be confirmed, whereas identification does not)
WHAT DOES IDENTITY PROVIDE?, National Academy of Science, 2002, National Academy Press
The current National Academy of Science draft about the issues of a common ID card is a valuable starting point in recognizing the issues developing a common identity management system. The key point being that an ID card is only a piece of an identity management system and there are serious policy and practical issues to solve developing a common identity management system. Iowa’s plan can be an excellent foundation for such a system. As the Iowa plan illustrates, government’s role in creating an identity system is to concentrate the “who” someone is while others (business, associates, social organizations) who interact with the person determine the “what” that someone is. Trust builds from their interaction with the person, not from knowing “who.”
Some form of government identity management is the foundation, how that interacts with other identity management mechanisms is a core policy issue, and then how the complexity of identity management is handled architecturally (business process and technically) follows from the first two.
| 1 The Weightless Society, Charles Leadbeater, published by TEXERE LLC., 2000 2 The term “community” is used here in a very loosely defined way, the term “group” is probably a more accurate term but the term community reminds us of that fundamental link to our core social groups, our basic communities that define our identity. 3 In fact, Tarzan’s story would have been much shorter and less interesting if the ape community had a birth certificate repository and identity management records. 4 Birth Certificates Alone do not Provide Conclusive or Reliable Proof of Identity: Many agencies and organizations request that individuals provide their birth certificates to receive a benefit or service, or to support the issuance of other documents often used for identity purposes (e.g., driver’s license). However, agencies who rely on birth certificates as a means of establishing identity must understand the limitations of accepting a birth certificate as proof of age, citizenship, or identity. For example, genuine documents obtained with counterfeit birth certificates can be used to obtain genuine birth certificates. Thus, it is inherently illogical to require someone to prove their identity using potentially fraudulent identity documents spawned by false birth certificates in order to obtain a birth certificate…. The primary purpose for which birth certificates were created -- to document and record births -- is served well by the large number of entities that issue them and the technology which makes them readily and quickly available. Because redesigning birth certificates could jeopardize their availability, to do so might be undesirable. Unfortunately, that availability contributes to fraud and the unreliability of birth certificates as identification documents. 5 What Privacy Is — and What It Is Not, by Charles J. Sykes, The End Of Privacy, St. Martin's Press, 1999 6 IDs – Not That Easy, Questions About Nationwide Identity Systems, National Academy of Science, 2002, National Academy Press 7 The Belinda “twins” of Australia same name, exact same birthdate lead frequent confusion. http://catless.ncl.ac.uk/Risks/17.88.html#subj1 8 The current driver’s license bar code is readable by anyone with a reader, there may come a backlash as that is used for what are seen by the public as inappropriate purposes. If a driver’s licensee’s information is restricted, is it on the barcode and readable? |
What Privacy Is — and What It Is Not
Charles J. Sykes
For some of us, privacy is simply the right to be let alone; but having said that, what precisely does it mean? Is privacy simply a matter of protecting our solitude? Is privacy something we can expect only when we are by ourselves, when no one else can see us, or gain access to us? Or does privacy extend beyond solitude to our relations with others - our family, friends, and associates? Are there times we can expect a modicum of privacy even when we are in public or engaged in public affairs? Is privacy the right to control information about ourselves? If so, what information? Can we really hope to control what impression we make? Can we regulate others’ reactions to our behavior?
Our experience of privacy is also likely to vary widely. For some of us, it is the ability to live a life unobserved, or to have a zone where we can develop intimate relations, blow off steam, relax and be ourselves in a way that is impossible in public. For others, it is to have a room or a life of their own, where they are freed from interference, judgment, and social pressure to pursue their interests, develop their talents, and take the sorts of chances that can be risked only in private. For some, privacy is what gives them a chance to repair their psyches and accumulate the moral and psychic capital they rely on when they emerge into public. For some of us, privacy is experienced in anonymity, the pleasure of being unknown or unrecognized when we travel to another city or take a vacation. (Surely one of the most significant losses of privacy for the modern celebrity is the inability to go anywhere without being recognized.) For some of us, privacy simply allows us to live in the twilight of public and private where we can go out unshaven, change jobs, and even relationships without being subject to publicity. For others, privacy may simply mean not being walked in on by parents or siblings; or it may be the power to choose what they reveal about themselves to others.
Each of us will react differently to violations of our privacy; we not only have different standards, we also calibrate our responses depending on our closeness or relationships with others. But we all have our own ladders of privacy, beginning with our closest relations, moving downward in descending orders of intimacy. For some, the ladder might look like this:
spouse
[priest, minister, rabbi]
brothers and sisters
parents
children
friends
in-laws
coworkers
neighbors
marketers
employers
government
news media
ex-spouses
potential rivals/enemies
Our willingness to share information declines with each rung. Information we would share with a sister, we might be unwilling to share with a parent, much less an in-law or a neighbor. We might have no qualms about giving our neighbor information about our habits that we would be very reluctant to share with our employer; and though we might share details of our sex lives with a friend, we would be horrified to share it with a government agent or (God forbid) the media. Certainly, our greatest fear would be for an enemy to compile a detailed and damaging dossier on us.
The End Of Privacy by Charles J. Sykes, St. Martin's Press, 1999