Banking Review

Identity crises

Identity wars have been fought and lost as major players pull out
and admit defeat, but who’s making advances in the field?

BY STEPHEN WILSON

The Digital Identity movement is in crisis. Recent months have seen Microsoft shelve its Cardspace offering and cede leadership in this space. The leading web Single Sign On solution OpenID is being abandoned by important players. The blogosphere is thick with the cynical resignation that Facebook has “won the identity wars” (use of the battle cry metaphor is itself indicative of cooperation being shaky).

And in the midst of this turmoil, President Barrack Obama has given his imprimatur to the boldest plank in his cyber security strategy: the National Strategy for Trusted Identities in Cyberspace (see http://www.nist.gov/nstic). NSTIC is a sophisticated and well-intended model for public-private partnership in electronic authentication, yet it has had a mixed reception.

Many Americans are, of course, instinctively wary of any government involvement in anything, let alone as touchy a subject as identity. In the current political climate, even moderates are reluctant to trust the initiative to be separated from homeland security programs and other intrusions. Others laud NSTIC for its careful attention to privacy and its adoption of leading edge privacy enhancing technologies from the ‘Identity Metasystem’.

NSTIC introduces complexities and new personal information flows that may outweigh its technical privacy measures. NSTIC embraces the new orthodoxy of identity federation and enshrines the idea that trusted third-party ‘Identity Providers’ and ‘Attribute Providers’ will intermediate between customers and service providers, to broker minimum disclosure of PI between the parties. One important paradox in all this is that users may find themselves disclosing more PI than ever when signing up with identity providers, to enjoy such newfangled services as ‘Verified Anonymity’.

How did we get to this point? Does digital life really need to be so complicated, with multi-lateral arrangements introduced in the name of securing conventionally straightforward transactions like using a credit or debit card online?

There is deep irony in today’s digital identity formulations. In normal life, we are totally at ease with the concept of identity, with all its nuance and separate dimensions. We understand the different flavours of personal identity, national identity and corporate identity. We talk instinctively about ‘identifying with’ friends, communities, sporting teams, suburbs, cities, countries, causes and companies. In multiculturalism, there is the idea that more than one cultural identity may co-exist in the one person.

It seems clear to me that we switch identities unconsciously in daily life when, for example, we wear a uniform to work, or our team’s colours to a footy game. We feel very differently about the money when we do the banking for a company, or for ourselves. And then there is what I call the ‘High School Reunion, effect, when we are confronted with friends we haven’t seen for decades, and experience the jolt of reliving our own identities as they once were and are no longer.

So human identity is malleable stuff. But when it comes to digital identity-that is, knowing and showing who we are online-we make a total mess of it. We have inherited from computer science an arcane conceptual framework with arbitrary identity constructs, reasonable to technicians but at odds with the human condition. For example, technologists insist that ‘authentication’ (knowing who someone is) has primacy over and must always precede ‘authorisation’ (telling what they are entitled to do). Yet in real life, we often deal with people based on their authority alone; we rarely need to know who a bank manager, an auditor or even our own boss ‘really’ is.

Many other standard security ideas are really foreign. Think about Single Sign On. It makes sense to use one password at work to access all corporate computer systems, but some have tried to extend SSO to the entire web, so that one general purpose identity might grant us access to banks, merchants, health services and social networks. Yet SSO is unprecedented in the real world; after all, it would be like asking your employer to re-key the front door of the office to match your house key.

Meanwhile, in spite of all the earnest theoretical work on identity and ‘trust’, cyber crime and privacy breaches only get worse, and none of the ‘Identity 2.0′ initiatives have succeeded in serious business settings like e-government, banking and e-health.
It seems vital that we take stock and review the premises of federated identity if better progress is to be made.

So what is identity?

Simply, my identity is how I am known in a circle I move in. I am a member of many different circles: of colleagues, customers, users, members, professionals, friends and relatives. When we look at identity this way, it illuminates complexities like ‘interoperability’. There is a common intuition that digital identities can be made to interoperate, but this is shown to be misplaced by the fact that belonging to one circle doesn’t automatically mean you belong to any others.

See? It’s simple.

Stephen Wilson, founder of the Lockstep Group, is an analyst, consultant and innovator in digital identity and privacy.  See: www.lockstep.com.au
blog: http://lockstep.com.au/blog
twitter: @steve_lockstep