Like what you've read?

On Line Opinion is the only Australian site where you get all sides of the story. We don't
charge, but we need your support. Here�s how you can help.

  • Advertise

    We have a monthly audience of 70,000 and advertising packages from $200 a month.

  • Volunteer

    We always need commissioning editors and sub-editors.

  • Contribute

    Got something to say? Submit an essay.


 The National Forum   Donate   Your Account   On Line Opinion   Forum   Blogs   Polling   About   
On Line Opinion logo ON LINE OPINION - Australia's e-journal of social and political debate

Subscribe!
Subscribe





On Line Opinion is a not-for-profit publication and relies on the generosity of its sponsors, editors and contributors. If you would like to help, contact us.
___________

Syndicate
RSS/XML


RSS 2.0

Plurality of identities

By Stephen Wilson - posted Monday, 31 December 2007


While Kevin Cox (On Line Opinion) argues for one electronic identity and a host of relationships, a subtly but fundamentally different view is that we actually possess many identities, and that it is better all round to retain the ability to keep them all separate. This is not actually a radical proposal. I believe that most of us are pretty comfortable almost unconsciously treating, for example, identity as a citizen differently from identity as a bank account holder, or identity as an employee.

Judging by the work of others in the field, we may in fact be in the midst of a true paradigm shift, to a new worldview based on a plurality of identities. And here I’m using the infamous “p word” - much loved by consultants but derided by almost everyone else - in its proper context.

The term “paradigm” was popularised by the philosopher and historian Thomas Kuhn, in his seminal book The Structure of Scientific Revolutions (1962). Kuhn described paradigms in the sciences as sets of prevailing assumptions and theories that add up to an accepted worldview, such as the old idea that the sun and the planets revolve around the earth, or that disease is caused by imbalance in bodily “humours”. Paradigms are not always bad, but they invariably carry deep implications that can go unchallenged and influence broader systems without us being aware.

Advertisement

I suggest we’ve been saddled for years in the IT world with the tacit assumption that deep down we each have one “true” identity, and that the proper way to resolve rights and responsibilities is to render that identity as unique; that is, to get to the bottom of who the person “really is” before bobbing back up and checking what role they are acting in. But this search for the “real” identity can go too far.

When it does, it can expose far more of our selves than is warranted, and it can make it fiendishly difficult to disentangle our digital lives. The “singular identity” paradigm has had a deep and unhelpful influence on smartcards, biometrics, and the very trendy "federated identity" movement.

Federated identity is a sort of mash-up of the things that are known about us in different contexts. Usually the end point of federating one’s identities is a single definitive statement of who you “really” are. To argue the case, proponents of federated identity usually cite drivers’ licences and the way they’re presented to bootstrap a new relationship.

They liken the use of a driver licence to “build up” a new identity as if the more proof of identity you can aggregate, the more trusted and more widely recognisable you will become.

But there is a serious category error when the real world experience of identity cards is extended superficially to federated ID. A driver licence might evince your “identity” when joining a video store but it does not persist in that relationship. It does not become your identity as a video store member. For that, you will receive a new membership card, and the driver licence is left aside.

A less trivial example is your identity as an employee of Company X. The HR department may want to see your driver licence on your first day on the job, but that’s mainly to make sure they get your legal name correct. Thereafter, you carry an ID badge for Company X, which is your identity in that context. You don’t present your driver licence to get in the door of your workplace.

Advertisement

The question asked and answered by federated ID is: how many identities do we need? Only one! The new “Identity 2.0” movement stresses the multiplicity of our relationships. A very popular and beguiling but ultimately utopian conference presentation by the movement's leader Dick Hardt shows vividly how many ways there are to be known (see here). He’s right - I am at the same time a licensed driver, an employee, several bank account holders, a football club member, a university alumnus, a frequent flyer and so on. But Dick Hardt goes a step too far when he seeks to create a single, albeit fuzzy, “uber identity” that mops up all relationships and transcends all contexts.

The alternative view is that each of us actually exercises a portfolio of separate identities, switching between them in different contexts. This is not an academic distinction; it really makes a big difference where you draw the line on how much you need to know to set a unique identity.

I remember once visiting my bank to deposit cheques into my business account. It happens that my personal account was at the same institution, and they had without telling me “federated” my multiple identities. The teller asked me which account I wanted the cheques to go to - my mortgage, my credit card or my debit account? I was truly shocked, especially as I had handed over the corporate key card. The cheques were not for me, Stephen Wilson, they were made out to my company. The fact that I am a signatory to the company bank account is completely immaterial to the arrangement that treats the company account as a different entity. There is centuries of company law that tells us that the identity of the corporation is not the same thing as the identity of any of its employees.

Kim Cameron from Microsoft has developed a new and well thought through manifesto: the “Laws of Identity”. These clearly promote what I call the “plurality” of identity. The laws include a new definition of digital identity as “a set of claims made by one digital subject about itself or another digital subject”. Cameron knows that this relativist definition might be unfamiliar; he recognises that it “does not jive with some widely held beliefs - for example that within a given context, identities have to be unique”.

When you change jobs, you really do have a new workplace identity. Likewise, one’s identity as a bank account holder is quite different from one’s identity as an employee. Try this thought experiment: your identity as an employee is suddenly destroyed when you are made redundant. How would you like your bank to know about this state of affairs before you’ve had a chance to make plans, evaluate your options, get another job? Your right to privacy could be deeply affected in a world where we arbitrarily hang different “roles” off the one uber identity.

Ironically I suspect that the singular identity paradigm is a child of the computer age. Before the Internet and before the advent of IdM, we lived happily in a world of plural identities - citizen, spouse, employee, customer, account holder, another account holder, patient, club member, another club member and so on ad infinitum. It was only after we started getting computer accounts that it occurred to people to think in terms of one “true” identity plus a constellation of “roles”; or to use the orthodox jargon, one authentication followed by multiple authorisations. So the irony is that very modern advances like the Laws of Identity might take us back to the way identities were before the Internet.

I said at the beginning that a paradigm can have implications that go unchallenged. Let’s consider the possibility that the singular identity paradigm has enabled, without anyone noticing, the rather too easy acceptance by security experts of biometrics.

The idea of biometric authentication plays straight into the orthodox world view that each user has one “true” identity. The widespread intuitive appeal of biometrics must be based on an idea that what matters in all transactions is the biological organism. But it’s not. In most real world transactions, the “role” is all that matters, and it’s only under rare conditions of investigating frauds that we go to the forensic extreme of locating the organism.

There are huge risks if we go and make the actual organism central to routine transactions. It would make everything intrinsically linked, implicitly violating Privacy Principle No1: Don’t collect personal information if it’s not required.

It is an interesting question to ponder why the security community, which is usually proud of its caution, is so willing to embrace so quickly the risks of biometrics. As noted in my previous post, biometrics perform way short of what one would expect. Compared with PIN numbers they're actually really lousy: 2 or 3 per cent False Match Rate compared with 0.03 per cent for a four digit PIN with three retries.

They're usually advocated for convenience as well as (or instead of) security, but on that score they're still problematic. Confirmation times can be a minute or more for commercial solutions (according to UK Customs Service testing); some years ago Disney World in Florida decommissioned their hand scan turnstiles because they couldn't get the response time down below 10 seconds. Worst of all from a security point of view is the impossibility of recovering from identity theft, since no known commercial biometric can be revoked and re-issued.

The irrational attractiveness of biometrics may be because we’ve been inadvertently seduced by the relatively new idea that a single identity would be sensible.

  1. Pages:
  2. 1
  3. 2
  4. All


Discuss in our Forums

See what other readers are saying about this article!

Click here to read & post comments.

4 posts so far.

Share this:
reddit this reddit thisbookmark with del.icio.us Del.icio.usdigg thisseed newsvineSeed NewsvineStumbleUpon StumbleUponsubmit to propellerkwoff it

About the Author

Stephen Wilson is the Managing Director of Lockstep, a company dedicated to strategic research, analysis and advice in e-authentication.

Creative Commons LicenseThis work is licensed under a Creative Commons License.

Article Tools
Comment 4 comments
Print Printable version
Subscribe Subscribe
Email Email a friend
Advertisement

About Us Search Discuss Feedback Legals Privacy