A new theory of digital identity

Further work

The rare successes in federated identity―from the recognition of bank issued IDs for e-government in Scandinavia, through to Facebook Connect―show that some digital identities certainly can work well in multiple niches. On the other hand, Australian bank identities have resisted re-use even by other banks. If it were possible to “memetically” examine a given identity species and gauge its ecological adaptability, we could at the very least avoid yet more costly repeats of futile federation ventures. We could further learn how to optimise the interoperability of new synthetic identities, especially social IDs, as well as portable bank account numbers.

If digital identities do evolve as suggested here, then it should be possible to work out their phylogeny; that is, the natural history of the important memetic features of an identity as they change over time. IT practitioners have long known that various risks are peculiar to different sectors. Risk professionals have to specialise in their respective markets. In recent years, risk managers have had to respond to a bewildering array of challenges, including high quality fake passports and driver licences, magnetic stripe card skimming, Card Not Present fraud over the Internet, new anti-money laundering regulations, privacy laws, the advent of pure-play virtual retail banks, mobile devices, virtual worlds, and the unpredictable influence of social media.

What’s new about the ecological perspective is that it shows these challenges to be selection pressures on the evolution of identity species, and that each species can be analysed with reference to separate memes. A banking identity for example is determined by an ensemble of features, including KYC regulations, the bank’s own CRM practices, plastic card standards, PIN distribution and maintenance procedures, Internet security controls, and the various terms & conditions attached to each banking product.

One of the most current trends in authentication is the move away from in-person proofing to Electronic Verification (EV) of identity especially in banking. The advent of better real time intelligence in transaction monitoring, and multiple authoritative data sources, has helped to enable purely online origination of new bank accounts in some jurisdictions; the traditional emphasis on bank tellers verifying static identification documents presented in person is giving way to dependable ways of establishing bona fides remotely. And so the types of identity species used for purely online banking are gradually diverging from mainstream banking credentials to meet different environmental needs.

An important next step might be to conduct a careful memetic study of representative identities taken from the wild, to uncover their roots in different business ecosystems, and the degree to which they have been adapted to suit particular environmental conditions. If the right set of features and matching memes can be worked out, then a “phylomemetic” family tree of digital identities could be mapped out. In turn, we could better understand when a given existing identity can be adapted to other contexts, or whether it might be “memetically” engineered to better suit.

Conclusions

This alternative ecological theory appears to explain the under-performance of federated identity. It suggests that designs like the Identity Metasystem and NSTIC are over-engineered relative to the problems of identity fraud and cybercrime today. The Identity Metasystem is a grand attempt to solve stranger-to-stranger “trust”, yet most economically important transactions on the Internet occur between parties that operate in their own business contexts or niches, with specific risk management arrangements, formal credentials, terms & conditions, and liability allocation. The parties in each niche know precisely where they stand.

The price we pay for this kind of crystalline certainty is that each of our many digital identities is brittle. Serious digital identities are highly context dependent, which is exactly what the Laws of Identity teach us. On the other hand, the utopian Identity Metasystem has us bend those identities to suit other contexts. In practice, highly specific identities simply break when taken out of context, for their underlying risk management arrangements do not easily adapt.

If we appreciate identities as having descended in real world business ecosystems, then it should become clearer which identities can adapt, which cannot, and which may be modified to suit changed circumstances.

Identity federation takes the essentially technological problems of ease-of-use and pedigree of digital identities, and inadvertently turns them into unprecedented legal and business process problems. The very idea of federation runs counter to the old Italian proverb: Fidarsi è bene; non fidarsi è meglio. Or “To trust is good; not to trust is better”.

This would make a much better defining slogan of Internet sociology. It shows us that the transition from real world to digital identity need not be so daunting, for trust is moot after all. Technologists can stop fretting that the concept of identity needs re-defining. Instead, let us focus on taking the perfectly good IDs we have in the real world and taking them online in a smarter, safer form.

References

1.  The Laws of Identity, Kim Cameron, Microsoft, November 2005 http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdf.

2.  The Selfish Gene Richard Dawkins, Oxford University Press, 1976.

3.  A novel application of PKI smartcards to anonymise Health Identifiers, Stephen Wilson, AusCERT2005 Refereed Academic Stream, 2005 http://conf.isi.qut.edu.au/auscert/proceedings/2005/wilson05novel.pdf.

4.  An easily validated security model for e-voting based on anonymous public key certificates, Stephen Wilson, AusCERT2008 Refereed Academic Stream, 2008 http://conference.auscert.org.au/conf2008/Proceedings-SETMAPE.pdf.

Copyright © SC Magazine, Australia