A new theory of digital identity

Part B: The Ecology and Natural History of Digital Identity

In Part B, I present an alternative framework for understanding digital identity. I will show that a rich variety of identities have evolved to suit distinctly different settings. Just as with real world ecology, characteristics that optimise an identity species in one environment, can work against it in others. The best way forward is to understand the “memetics” of digital identities, and then perhaps we can re-engineer at least some of them with greater success.

Revisiting the identity security problem

The password plague and ‘token necklace’ elicited a sort of broad moral panic, yet they are essentially just human factors engineering problems. Traditional access control was devised for technicians, by technicians; consumer authentication demands better user interfaces.

Federated identity seeks to kill two or three birds with the one stone. While trying to make identities harder to subvert, it also seeks to build new ID issuance pathways, and to broker new channels between relying parties and ID issuers. The grandest plans seek to support stranger-to-stranger e-business, and thus open up untold opportunities for institutions to capitalise in new ways on their customer relationships.

Yet the most pressing identity management problems have little to do with issuance; rather they relate to the way perfectly good identities once issued are taken ‘naked’ online as simple alphanumeric data, vulnerable to takeover and counterfeiting. If we focussed on conserving context and virtualising real world IDs in non-replayable forms, most routine transactions could take place safely online, without the incalculable cost of re-engineering proven business arrangements.

By far the most economically important transactions on the Internet are not carried out with total strangers but instead occur between parties that already understand each others’ credentials. Serious business is always done within well established risk management and legal arrangements. There are registration protocols, formal qualifications, agreed terms & conditions, legislation in many industries, and liability allocation. Examples include retail payments, B2B payments, healthcare, accounting and auditing, share trading, superannuation and funds management. And there is an infinite variety of private trading networks―from local buying groups to global clearing houses―all managed under commercial contracts.

Each of these closed transaction settings is rich with context and powerful simplifying assumptions. The types of identifiers used to authorise all authorised parties are known in advance. Everyone knows precisely where they stand before they transact, and indeed before they’ve even installed whatever application software and identity devices are mandated by the scheme they’re working in.

The arch problem that cries out to be solved online is the takeover and/or counterfeiting of identifying information. Simple mechanical weaknesses in the way we present our sensitive data leaves them vulnerable to attack. These are technologically straightforward issues; they have nothing at all to do with the “trust” that today’s breed of identity engineers concern themselves with.

For the most part we actually identify people well enough in the real world. Sometimes our identification breaks down, but not so often that the entire paradigm needs overturning. Instead, like each and every risk management control, identification undergoes continuous improvement. There are authorities that oversee each transaction context and learn from those odd cases of misidentification. They monitor fraud and other risks, as well as performance, and they steadily tweak all sorts of variables to optimise a mix of objectives peculiar to each business environment.

The natural history of identities

Things are the way they are because they got that way.

Gerald Weinberg

For all the talk of identity “ecosystems”, genuine ecological thinking has been lacking in contemporary identity theory.

The term ecosystem has become fashionable in IT, as a sexy euphemism for “marketplace”. With a politically correct ring to it, “ecosystem” is used to lift the conversation above the hurly burley of competition and to attract more government support. But those who like the term should heed the fact that the strongest ecosystems evolve naturally; they are never designed. Truthfully, the ecosystem anticipated by The Laws of Identity and the National Strategy for Trusted Identities in Cyberspace (NSTIC; see http://www.nist.gov/nstic) is an elaborate IT architecture with predefined and often novel roles for all players. At the time of writing, NSTIC is far from complete, with many anticipating that special new legislation will be needed to allocate liability when using privately issued identities. Nobody yet knows if the system is sustainable by the private sector. The prefix “eco” is optimistic.

On the other hand, what if we actually thought ecologically about the identity problem? Let’s look afresh at the rich variety of identities we already have in the real world and ask as a famous naturalist once did: Where did they all come from?

The origin of identities – with apologies to Charles Darwin

In Part A we saw that digital identity is a proxy for a relationship one has with a community of interest. Whenever someone questions the need for so many IDs, they best remember that modern life is complicated, and that the variety of identities is a direct result of us exercising a spread of relationships. We have always conducted our business and personal lives with multiple connections. Now cyberspace presents a dizzying array of new services, each of which by default represents a new relationship and potentially a fresh identity.

The great identity proliferation of the past decade was largely artificial. Most media and blog sites are inherently impersonal; the only reason their providers force us to register is so they can strike up a new relationship of some sort. They know most casual users register reluctantly and use false names to protect their privacy, but it’s a numbers game. Sites hope a proportion of registrations are bona fide, and they work to improve the quality of their user relationships over time.

So the runaway inflation of identities was mostly fuelled by social media, and a relationship land grab. Social logon was a godsend for users and sites alike. Now we can use our existing account with Google, Facebook, Twitter or many dozens of others to logon to shopping sites, media outlets, blogs and networks. Ostensibly social logon offers faster, almost seamless re-registration, which is great for users. And sites benefit because reducing friction lifts not only bulk registration rates but fidelity improves as well as users work to gradually enrich and polish on their treasured social identity.

But what of our other more ‘serious’ identities, like bank accounts, credit cards, employee IDs and health identifiers? Social logon has unquestioningly become the model for joining up these types of relationships as well. In 2011 when launching NSTIC, Whitehouse cyber security chief Howard Schmidt blogged: “Imagine that a student could get a digital credential from her cell phone provider and another one from her university and use either of them to log in to her bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords”.¹

Yet experience shows that re-using identities across different contexts is harder than it looks. In fact banks have found that re-using identities even amongst themselves under identical legislated rules is extremely difficult. Let’s look at the forces that have worked to shape all these identities even before we took them online.

Next:Identities evolve

Identities evolve

While the federated identity movement calls for a new ecosystem to be built, proponents seem oblivious to the existing ecology of business which has spawned very specific arrangements for managing risk in different sectors and communities-of-interest.

As discussed in Part A, business is conducted in circles, or communities-of-interest. There are always membership rules that govern how an individual joins a business circle―whether it be a company, a professional association or a payment scheme―to help all parties manage their risks. Some rules are set freely―by employers, merchants, associations and the like―while others are legislated in industries like aviation, healthcare and finance. In each setting, whether it’s regulated or entirely laissez faire, protocols are fine-tuned over time to cope with changing conditions. That is, they evolve.

In this light, there’s a special term that applies. The conventions, rules, professional charters, laws, regulations and technical standards that control how we identify in different contexts are memes; namely, heritable units of cultural transmission or of imitation The Selfish Gene Richard Dawkins, Oxford University Press, 1976.. For many decades, a whole spectrum of identity memes have been passed on from one business generation to the next:

• Anti-counterfeiting features for original identity documents are constantly innovating. Simply adding the photo of the document holder transformed driver licence and citizenship papers many years ago. Many traditional measures are a variation on the theme of making document features difficult to replicate without specialist printing plant. These include microprinting, guilloche artwork, holograms and optically variable dyes. More recently, electronics have been added―most notably chips―which are copy-resistant, and bring added powers such as biometric storage against which the person presenting the document may be verified.

• Most countries legislate Know Your Customer (KYC) rules for how financial institutions must prove the identity of their account holders. In Australia, the Financial Transaction Reports Act 1988 created the “100 point” check where varying weightings are given to each of a schedule of identity documents. International banking accords from time to time bring pressure to bear on local KYC rules, often seeking to harmonise them. Developments in organised crime led to a broadening of KYC rules under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 to non-bank sectors, while at the same time enabling online presentation of document details to open some types of purely online bank accounts.

• Driver licences have come to be widely used to prove identity in retail transactions, despite the fact that many roads & traffic authorities wish they simply remained as permits to operate motor vehicles. It is not clear that licence issuers ever officially sanctioned licences as proof of identity but it has obviously been mimicked across many different sectors, and slowly adapted and varied in many ad hoc ways. So identification by driver licence is a meme that has jumped across many different identity species, a phenomenon often seen in bacterial genetics.

• The number of “authentication factors” has grown over time to counteract ID theft and account takeover. There are many variations on the multi-factor meme, including Card Authentication Protocol (CAP) readers that generate one time codes using a Chip-and-PIN card, the texting of passcodes to customers’ phones, and hybrid biometrics.

• Password practices have become ever stricter. Minimum recommended lengths get longer all the time, and the practice of mixing up characters became necessary in response to more powerful brute force and dictionary attacks.

• Cryptographic algorithms never stand still for very long. Ongoing cryptanalysis strives to stay ahead of potential attackers, actively searching for weaknesses and forcing enhancements over a succession of standards: from MD5 through SHA-1 to SHA-2 and the imminent SHA-3 for message digests, and from RC4 and DES through DES-3 to the current state-of-the-art AES cipher.

As business environments change, risk management rules respond. And so identity management processes and technologies are subject to natural selection. An ecological treatment of identity recognises that selection pressures act on the many separate facets of digital identity, generally strengthening them. On occasion however, some environmental pressures act to actually weaken identity practices. For example, heightened privacy awareness is leading to some employers collecting less identifying information from new starters than they might otherwise prefer. 

If we think ecologically, we can better explain the surprising power of context in identity management. It is ironic that the Laws of Identity emphasise the importance of context, and yet federated identity programs repeatedly underestimate how IDs resist changing context.

The tight fit that evolves between each given identity and the setting in which it is intended to be used is best described by the term ecological niche. As with real life ecology, characteristics that bestow fitness in one niche can work against the organism or digital identity in another.

Identity “silos” are much derided but we can see nowthey are a natural consequence of how all business rules are matched to particular contexts. The environmental conditions that shaped the particular identities issued by banks, credit card companies, employers, governments and professional bodies are not fundamentally changed by the Internet. As such, we should expect that when these identities transition from real world to digital, their properties―especially their “interoperability” and liability arrangements―cannot readily adapt.

So taking a mature digital identity, like a university student ID, out of its natural niche and hoping it will interoperate in another like banking is a lot like taking a salt water fish and dropping it into a fresh water tank.

On the other hand, the ecological frame neatly explains why the purely virtual identities like blogger names, OSN handles and gaming avatars are so highly interoperable: it’s because their environmental niches are not so specific. Thinking about how quickly and widely social identities like Facebook Connect have spread, in a very real sense we can describe them as weeds!

The way forward: Identity conservation

We all know that the hardest parts of any digital transformation project are to do with change management and process reengineering, and not technology. The underlying reason that so many identity schemes struggle should now be plain to see: we’ve not only been looking at relatively unimportant problems, they’ve been the most intractable problems. If we focussed instead on conserving context and faithfully replicating existing real world identities in non-replayable forms, most routine transactions could take place safely online, without the incalculable cost of overturning long standing business practices.

One of the most robust ways to render a digital ID non-replayable is to bind it by digital signature to whatever transaction it is being used to authorise. This is how the most secure modes of the CAP protocol work for paying by Chip-and-PIN card online; the customer inserts their card into a portable standalone reader, enters details of the payment together with their PIN, and a private key within the chip transforms the data into a unique and non-reversible code.

Along with resistance to replay attack, digital certificates and signatures deliver the missing ingredient of context. This is perhaps the greatest untapped power of PKI. Public key certificates always include a “Policy Object Identifier” which points to precise detailed specifications of what each type of certificate is for, the conditions under which it was issued, the applications it is intended for and so on. In short, the Certificate Policy nails down the context for the identity.

Context has been bland and underdeveloped in “Big PKI”. Historically, commercial CAs issued a limited range of general purpose certificates; the only variables in orthodox Certificate Policies tend to be a non-specific ‘Level of Assurance’, the name of the issuing CA, the liability limits they usually imposed, and any warranty they were prepared to offer. Yet the Certificate Policy can specify so much more.

When special purpose digital certificates are issued in a closed community of interest, the Policy can set out the precise relationship between the Subjects and the CA acting on behalf of the community. So for instance, one type of digital certificate might convey the fact that the Subject is an accredited surveyor in the state of New South Wales with a given licence number; another can represent that the Subject is a Director of a company with a certain securities commission registration number (note that the same individual might carry both of these certificate types, using one them to sign survey reports and the other to sign company returns). Unique X.500 Object Identifiers for these different ‘species’ of certificate can be globally registered. Relying Party software in different contexts can easily be configured to look for the anticipated Policy that signals a party’s authority to transact.

And so digital certificates provide the means for precise contexts to be conserved and unambiguously bound to respective identifiers. Some of my previously published R&D has demonstrated how context rich digital certificates can deliver anonymous e-health transactions A novel application of PKI smartcards to anonymise Health Identifiers, Stephen Wilson, AusCERT2005 Refereed Academic Stream, 2005 http://conf.isi.qut.edu.au/auscert/proceedings/2005/wilson05novel.pdf. and anonymous e-voting An easily validated security model for e-voting based on anonymous public key certificates, Stephen Wilson, AusCERT2008 Refereed Academic Stream, 2008 http://conference.auscert.org.au/conf2008/Proceedings-SETMAPE.pdf..

Next: Further work

Further work

The rare successes in federated identity―from the recognition of bank issued IDs for e-government in Scandinavia, through to Facebook Connect―show that some digital identities certainly can work well in multiple niches. On the other hand, Australian bank identities have resisted re-use even by other banks. If it were possible to “memetically” examine a given identity species and gauge its ecological adaptability, we could at the very least avoid yet more costly repeats of futile federation ventures. We could further learn how to optimise the interoperability of new synthetic identities, especially social IDs, as well as portable bank account numbers.

If digital identities do evolve as suggested here, then it should be possible to work out their phylogeny; that is, the natural history of the important memetic features of an identity as they change over time. IT practitioners have long known that various risks are peculiar to different sectors. Risk professionals have to specialise in their respective markets. In recent years, risk managers have had to respond to a bewildering array of challenges, including high quality fake passports and driver licences, magnetic stripe card skimming, Card Not Present fraud over the Internet, new anti-money laundering regulations, privacy laws, the advent of pure-play virtual retail banks, mobile devices, virtual worlds, and the unpredictable influence of social media.

What’s new about the ecological perspective is that it shows these challenges to be selection pressures on the evolution of identity species, and that each species can be analysed with reference to separate memes. A banking identity for example is determined by an ensemble of features, including KYC regulations, the bank’s own CRM practices, plastic card standards, PIN distribution and maintenance procedures, Internet security controls, and the various terms & conditions attached to each banking product.

One of the most current trends in authentication is the move away from in-person proofing to Electronic Verification (EV) of identity especially in banking. The advent of better real time intelligence in transaction monitoring, and multiple authoritative data sources, has helped to enable purely online origination of new bank accounts in some jurisdictions; the traditional emphasis on bank tellers verifying static identification documents presented in person is giving way to dependable ways of establishing bona fides remotely. And so the types of identity species used for purely online banking are gradually diverging from mainstream banking credentials to meet different environmental needs.

An important next step might be to conduct a careful memetic study of representative identities taken from the wild, to uncover their roots in different business ecosystems, and the degree to which they have been adapted to suit particular environmental conditions. If the right set of features and matching memes can be worked out, then a “phylomemetic” family tree of digital identities could be mapped out. In turn, we could better understand when a given existing identity can be adapted to other contexts, or whether it might be “memetically” engineered to better suit.

Conclusions

This alternative ecological theory appears to explain the under-performance of federated identity. It suggests that designs like the Identity Metasystem and NSTIC are over-engineered relative to the problems of identity fraud and cybercrime today. The Identity Metasystem is a grand attempt to solve stranger-to-stranger “trust”, yet most economically important transactions on the Internet occur between parties that operate in their own business contexts or niches, with specific risk management arrangements, formal credentials, terms & conditions, and liability allocation. The parties in each niche know precisely where they stand.

The price we pay for this kind of crystalline certainty is that each of our many digital identities is brittle. Serious digital identities are highly context dependent, which is exactly what the Laws of Identity teach us. On the other hand, the utopian Identity Metasystem has us bend those identities to suit other contexts. In practice, highly specific identities simply break when taken out of context, for their underlying risk management arrangements do not easily adapt.

If we appreciate identities as having descended in real world business ecosystems, then it should become clearer which identities can adapt, which cannot, and which may be modified to suit changed circumstances.

Identity federation takes the essentially technological problems of ease-of-use and pedigree of digital identities, and inadvertently turns them into unprecedented legal and business process problems. The very idea of federation runs counter to the old Italian proverb: Fidarsi è bene; non fidarsi è meglio. Or “To trust is good; not to trust is better”.

This would make a much better defining slogan of Internet sociology. It shows us that the transition from real world to digital identity need not be so daunting, for trust is moot after all. Technologists can stop fretting that the concept of identity needs re-defining. Instead, let us focus on taking the perfectly good IDs we have in the real world and taking them online in a smarter, safer form.

References

1.  The Laws of Identity, Kim Cameron, Microsoft, November 2005 http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdf.

2.  The Selfish Gene Richard Dawkins, Oxford University Press, 1976.

3.  A novel application of PKI smartcards to anonymise Health Identifiers, Stephen Wilson, AusCERT2005 Refereed Academic Stream, 2005 http://conf.isi.qut.edu.au/auscert/proceedings/2005/wilson05novel.pdf.

4.  An easily validated security model for e-voting based on anonymous public key certificates, Stephen Wilson, AusCERT2008 Refereed Academic Stream, 2008 http://conference.auscert.org.au/conf2008/Proceedings-SETMAPE.pdf.

Copyright © SC Magazine, Australia