I first wrote this nearly 12 years ago - it appeared in The Age's technology opinion area in May 2004. Unfortunately, little has changed... Enjoy.
Identity is such a difficult concept to grasp, particularly for our political leaders. They seek the magic device that will correctly distinguish "terrorist" from "tourist" or "refugee" from "freeloader." Unfortunately, what they're seeking is some measure of trust - "can I trust the motives of this person?"
So, here's my first pop-quiz. What do identity and trust have in common? The answer - not very much.
Identity management within a relatively closed environment is comparatively easy - a social club or an insurance office, for instance. We can (hopefully) confine ourselves to role-based identities and it's probably safe to assume that we're not dealing with terrorists, just hackers! The problem is that we assume the solutions that work here can be applied more widely.
Let"s pause a minute and consider what identity is. Or, more importantly, what it is not. Identity is not who we are. "Who we are" is an amalgam of a large number of discrete identities which may or may not overlap, which may or may not agree with each other.
Most identities are defined in terms of the perceptions of others: for instance, we might buy the newspaper every morning at a kiosk before boarding the train to work. The vendor knows us by sight and says "hello" every morning. That is an identity; it is self-contained and complete within the bounds of the interaction. Similarly, our "family" identity is most strongly defined in terms of the perceptions of those around us. You might also consider the driver"s licence as a self-contained identity.
Interestingly, although both are valid descriptions of "you," there is minimal overlap between the kiosk "you" and the family "you," unless perhaps your spouse accompanies you to the city one day; and none at all between kiosk and drivers licence (apart from the photo on your licence).
The great thing about identity is that we have so many of them to choose from - not for any "nefarious" purpose, but we intentionally partition ourselves into multiple "people." The "David Heath" at work is quite distinct from the David Heath at home, for instance. At a simpler level, the identity we use when we visit some website that requires authentication has very little in common with anything truthful about us. But it is still an identity of ours.
From these examples, you can see that there are degrees of accountability, acceptability, reliance and strength in your varied identities. To quote Roger Clarke: "Identity authentication is the process whereby a degree of confidence is established about the truth of an assertion by an entity that they have a particular identity, or are properly signified by a particular identifier." In other words, authentication is the process of binding an identity to an entity - hence ID-entity. Clearly, this is of minimal importance in our kiosk identity, but particularly crucial if we're standing in front of the immigration official attempting to enter Australia.
The link between who we are and our identity is tenuous at best; just about the only formalised "identity" we have is nothing more than a paper trail. Although credit databases are powerful tools, they are still not who we are.
Mind you, even an excellent paper trail can prove nothing - Timothy McVeigh, for example, was generally perceived as a fine, upstanding citizen. Also, the opposite - the absence of a paper trail - is no more (or less) useful. Knowing nothing about an identity is not the same as rejecting it.
Some identity documents, driver's licences for instance, are easy to fake (or acquire), yet are treated like gold. There have been numerous reports in the media that at least two of the 9/11 terrorists held valid (although in false names) Virginia licences. What does that tell us about the reliability of identity documents? So, here's my second pop-quiz. Is a passport any more "robust" than a driver's licence as a confirmation of identity? The answer, unfortunately, is "not much".
There is a huge effort expended on designing and implementing a self-protecting identity token (driver's licence, passport etc) and far too little effort on the validity of the actual identity, or on checking the legitimacy of the token. Recent press reports show just how seriously the Australian government takes passport control - in 2003, over 3000 people complained of errors in the passport they were issued - including one Caucasian woman who found the photo of an Asian man in hers.
It might also seem amusing that we regard the passport as the ultimate identity document, yet we're permitted to submit our application by mail.
What about biometrics, the catch-cry of the current decade? Biometrics is a very robust tool particularly in the case of fingerprint and iris recognition. Biometrics, however, won't identify anyone (despite the strident cries of the privacy police); it merely allows a strong link between a person and a previously established identity. I was quoted in a recent technical publication by the Royal Canadian Mounted Police (IT Security Report R2-001): "A biometric does nothing more than re-establish the connection between the person and the established identity. If the established identity is weak, so are all subsequent verifications." Given a strongly verified identity, biometrics is the only robust method available to authenticate that identity to the claimed owner. Biometrics gives us authoritative identity determination, it's the only technique that can.
So, despite all the "extras," nothing changes. An identity cannot be strengthened by wrapping processes around it, even if those processes are very strong.
As mentioned at the beginning, it's not identity management we're having trouble with - it's trust management. We can create and manage as many identities as we want, but can we trust them? All of them? Some of them? None of them?
Stephen Covey, in his book Principle Centred Leadership tells us that the map is not the territory. He is referring, of course, to the difference between our representation of something (the map) and the truth of the same thing (the territory). In exactly the same way, an identity is not a person. Identity is a map of the trust landscape, it is not equivalent to trust. We must find a way to trust the person, not the identity. So, drawing this back to the original theme, if we can sideline issues of trust and focus on identity, excellent solutions, both technical and procedural, are available. Consider the range of single sign-on, biometric authentication and token suppliers, not to mention the plethora of directories and other identity management systems. Over and above simple identity management, my initial examples of the social club or insurance office don't need a lot of explicit trust management. Implied trust and post facto remedies will deal with most situations.
Governments look at these solutions with a mixture of envy and total misunderstanding of the differences involved. If trust is established, identity is easy; unfortunately the reverse does not follow. It's easy to get caught up in the hype of identity so as to completely lose sight of the fact that you were really trying to manage trust. Not only are you no better off, but your fascination with identity will probably leave you worse off.
One final pop-quiz. Would you rather be managing identity in an insurance office or trust at the immigration desk at Sydney airport?