Monday, June 13, 2005

OPINION:// Can I see your ID, please?

Martin Geddes - Telepocalypse

I’ve long taken an interest in what is called, for want of a better term, “digital identity”. This little vignette by Scott Lemon triggered a thought:
I believe that one of the biggest hurdles that is impacting the successful creation and deployment of Identity Management Solutions is this complete misunderstanding of the origins of our identity. […] If my identity is given to me by some community, how I can I be the owner of it? I am the recipient of it … I have a community pointing their finger at me saying that it is true and accurate … I even have to refer anyone asking for verification back to that community to have it proven.
The Intelligent Network is also a complete misunderstanding of how value is created in communications. I’m wondering if there’s a link here.
The end-to-end principle works to maximise the option value of a network:
Don’t do in the core what you can do at the edge.
Don’t do at a lower layer what you can do at a higher layer.
Here’s the way we preserve option value for identities:
Don’t manage an identity centrally that can be managed in a distributed manner.
Don’t do in hardware what you can do in software.
Here in the UK the government is planning the mother of all IT disasters with a vast central identity federation system across all government systems, and a physical ID card that is (eventually) compulsory for all citizens.
This is stupid for many reasons I won’t recount here. It goes against both my principles above: it’s centralised, and it specifies the hardware.
But there’s a better way.
Why not invert the whole problem? What if instead of a central database, there were merely bits of data scattered around and “managed” by the users. (As Scott notes, “ownership” of identity is a fraught philosophical problem.) So when I get a passport I get sent a digitally signed set of assertions by the passport office:
We saw this picture on date X.
We issued a passport with number Y on date Z.
The application was processed by agent A.
And so on. And I get to choose what instrument I store these assertions on. If I pay my utility bill, I get a digitally signed receipt in return. Eventually I accumulate my own personal store of digitally notarised assertions. I can control who gets to see these, and they control what inference they will make from it.
Now, if it turns out that Agent A at the passport office turns out to be a crook — and someone else notices that passports issued by Agent A are correlated with fraud — the distributed system can react to this data. A centralised government-owned database cannot, since it assumes the truth of all the data it stores.
Call it the firewall fantasy — that the world inside the firewall is good and safe, and that outside is evil and dangerous. We put identity data behind an institutional firewall, and only good and true changes can be made. But that just confuses the ownership and management of the data. We can manage data in a distributed manner whose truth is centrally controlled.
By decentralising and uncoupling from a specific hardware solution we cure a lot of problems at a stroke. We’ve eliminated most of the “big brother” privacy issues, security risk of a central data store, and billions of dollars of IT expense. We can still have smart cards that store our ID — but you and I get to choose what form of smart card we adopt. If I want to use my credit card, cell phone, or a USB key as the conveyor, that’s my choice. We get the benefits of a strong ID system, without the dangers of assuming that a government stamp on a piece of data makes it true.
For instance, my ID kit might include an assertion that a birth certificate was issued in the name of Martin Geddes on a certain date in the early 1970s. Just because I turn up with a card holding that piece of information doesn’t mean that the person is Martin Geddes. But that’s what a government ID card is asking you to do.
It isn’t hard to protect privacy when you share your “assertions”. We don’t need to reveal the actual data for some third party to be able to make trust inferences. They don’t need to know my name; just that I’ve got a UK-issued birth certificate. (Or that a particular notary of government office claims to have seen the tatty piece of paper I have.) They don’t need to know how much I paid for my electricity, or even to whom; just that someone called Martin Geddes has been interacting with society under that name for a considerable period. We just adjust the aperture to reveal the right amount of ID data.
The system becomes even stronger when these assertions are networked together. If I used my birth certificate key to open my utility account, that fact should be recorded. To lie about my birth certificate then requires me to abandon all derived identity data — I can’t use my utility bill assertion because I can no longer provide my birth certificate assertion.
I’m asking you to trust me because I’ve assembled a collection of data about myself that can be correlated by third parties who need not be present at the point of transaction. This system doesn’t eliminate identity fraud — you never can. It’s a diffent layer of the identity stack.
There’s a telecom angle to all this too. What communities do I engage with and pass through when carrying a cell phone? What identities should that device be a bearer for?
There are many examples of use of cellphone as identity token: mobile wallets, phone as authentication system (e.g. “tickets by SMS”), season tickets, or phone as affinity signal (football club face plates). More innovation is on its way. In fact, it’s one area where the industry has so far got it more-or-less right.
One of my favourite patents I co-authored at Sprint was identity-based. Interchangeable faceplates are old-hat; “smart” faceplates have also been done. Our innovation was to make your faceplate smart in a unique way. Plug an Dungbeetle University faceplate on your phone and a proportion of your spending goes to the affinity partner (as well as the UI adopting elements of the affinity partner’s branding). Just like an MBNA affinity credit card giving a 1% cut, but on your mobile.
You only have to ask yourself why we aren’t using our mobile phones for carrying our identity around more. Maybe there’s too much centralised control by telcos and lock-in into fixed hardware? Perhaps this requires a multi-generational cultural change?
The network is becoming a bottleneck to the exchange of value, because telcos can’t figure out how to charge for it. They’re addicted to rationing out scarcity. Proximity-based transactions seem like an obvious outlet for the creativity of the handset makers. Every one of them is going to have identity at its core.
And the telcos are possibly winners too: there’s no Paradox of the Best Network if there’s no network to worry about. They’re nicely positioned to help you manage the storage and presentation of this data. Can they execute? I’ll let you decide the truth of that — on your own, decentralised.


Post a Comment

<< Home