Part B: The Ecology and Natural History of Digital Identity
In Part B, I present an alternative framework for understanding digital identity. I will show that a rich variety of identities have evolved to suit distinctly different settings. Just as with real world ecology, characteristics that optimise an identity species in one environment, can work against it in others. The best way forward is to understand the “memetics” of digital identities, and then perhaps we can re-engineer at least some of them with greater success.
Part A recap: Despite its intuitive appeal, federating digital identities – or taking identities issued in one setting and reusing them in others – has proven expectedly difficult. For practical purposes, the dominant theoretical framework, The Laws of Identity, has failed. The laws set out an open, new identity ‘ecosystem’ and predicted that many institutions would recast themselves as general purpose identity providers. But little of this has come to pass. Instead, Microsoft has withdrawn its flagship authentication product Cardspace, promising Identity 2.0 start-ups like sxip have collapsed, well-supported initiatives like the Australian banks’ Trust Centre and Project Mambo have failed, and nobody has yet to explain the yawning gap between expectation and reality.
Revisiting the identity security problem
The password plague and ‘token necklace’ elicited a sort of broad moral panic, yet they are essentially just human factors engineering problems. Traditional access control was devised for technicians, by technicians; consumer authentication demands better user interfaces.
Federated identity seeks to kill two or three birds with the one stone. While trying to make identities harder to subvert, it also seeks to build new ID issuance pathways, and to broker new channels between relying parties and ID issuers. The grandest plans seek to support stranger-to-stranger e-business, and thus open up untold opportunities for institutions to capitalise in new ways on their customer relationships.
Yet the most pressing identity management problems have little to do with issuance; rather they relate to the way perfectly good identities once issued are taken ‘naked’ online as simple alphanumeric data, vulnerable to takeover and counterfeiting. If we focussed on conserving context and virtualising real world IDs in non-replayable forms, most routine transactions could take place safely online, without the incalculable cost of re-engineering proven business arrangements.
By far the most economically important transactions on the Internet are not carried out with total strangers but instead occur between parties that already understand each others’ credentials. Serious business is always done within well established risk management and legal arrangements. There are registration protocols, formal qualifications, agreed terms & conditions, legislation in many industries, and liability allocation. Examples include retail payments, B2B payments, healthcare, accounting and auditing, share trading, superannuation and funds management. And there is an infinite variety of private trading networks―from local buying groups to global clearing houses―all managed under commercial contracts.
Each of these closed transaction settings is rich with context and powerful simplifying assumptions. The types of identifiers used to authorise all authorised parties are known in advance. Everyone knows precisely where they stand before they transact, and indeed before they’ve even installed whatever application software and identity devices are mandated by the scheme they’re working in.
The arch problem that cries out to be solved online is the takeover and/or counterfeiting of identifying information. Simple mechanical weaknesses in the way we present our sensitive data leaves them vulnerable to attack. These are technologically straightforward issues; they have nothing at all to do with the “trust” that today’s breed of identity engineers concern themselves with.
For the most part we actually identify people well enough in the real world. Sometimes our identification breaks down, but not so often that the entire paradigm needs overturning. Instead, like each and every risk management control, identification undergoes continuous improvement. There are authorities that oversee each transaction context and learn from those odd cases of misidentification. They monitor fraud and other risks, as well as performance, and they steadily tweak all sorts of variables to optimise a mix of objectives peculiar to each business environment.
The natural history of identities
Things are the way they are because they got that way.
For all the talk of identity “ecosystems”, genuine ecological thinking has been lacking in contemporary identity theory.
The term ecosystem has become fashionable in IT, as a sexy euphemism for “marketplace”. With a politically correct ring to it, “ecosystem” is used to lift the conversation above the hurly burley of competition and to attract more government support. But those who like the term should heed the fact that the strongest ecosystems evolve naturally; they are never designed. Truthfully, the ecosystem anticipated by The Laws of Identity and the National Strategy for Trusted Identities in Cyberspace (NSTIC; see http://www.nist.gov/nstic) is an elaborate IT architecture with predefined and often novel roles for all players. At the time of writing, NSTIC is far from complete, with many anticipating that special new legislation will be needed to allocate liability when using privately issued identities. Nobody yet knows if the system is sustainable by the private sector. The prefix “eco” is optimistic.
On the other hand, what if we actually thought ecologically about the identity problem? Let’s look afresh at the rich variety of identities we already have in the real world and ask as a famous naturalist once did: Where did they all come from?
The origin of identities – with apologies to Charles Darwin
In Part A we saw that digital identity is a proxy for a relationship one has with a community of interest. Whenever someone questions the need for so many IDs, they best remember that modern life is complicated, and that the variety of identities is a direct result of us exercising a spread of relationships. We have always conducted our business and personal lives with multiple connections. Now cyberspace presents a dizzying array of new services, each of which by default represents a new relationship and potentially a fresh identity.
The great identity proliferation of the past decade was largely artificial. Most media and blog sites are inherently impersonal; the only reason their providers force us to register is so they can strike up a new relationship of some sort. They know most casual users register reluctantly and use false names to protect their privacy, but it’s a numbers game. Sites hope a proportion of registrations are bona fide, and they work to improve the quality of their user relationships over time.
So the runaway inflation of identities was mostly fuelled by social media, and a relationship land grab. Social logon was a godsend for users and sites alike. Now we can use our existing account with Google, Facebook, Twitter or many dozens of others to logon to shopping sites, media outlets, blogs and networks. Ostensibly social logon offers faster, almost seamless re-registration, which is great for users. And sites benefit because reducing friction lifts not only bulk registration rates but fidelity improves as well as users work to gradually enrich and polish on their treasured social identity.
But what of our other more ‘serious’ identities, like bank accounts, credit cards, employee IDs and health identifiers? Social logon has unquestioningly become the model for joining up these types of relationships as well. In 2011 when launching NSTIC, Whitehouse cyber security chief Howard Schmidt blogged: “Imagine that a student could get a digital credential from her cell phone provider and another one from her university and use either of them to log in to her bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords”.1
Yet experience shows that re-using identities across different contexts is harder than it looks. In fact banks have found that re-using identities even amongst themselves under identical legislated rules is extremely difficult. Let’s look at the forces that have worked to shape all these identities even before we took them online.