Plurality of identities

Kim Cameron from Microsoft has developed a new and well thought through manifesto: the “Laws of Identity”. These clearly promote what I call the “plurality” of identity. The laws include a new definition of digital identity as “a set of claims made by one digital subject about itself or another digital subject”. Cameron knows that this relativist definition might be unfamiliar; he recognises that it “does not jive with some widely held beliefs - for example that within a given context, identities have to be unique”.

When you change jobs, you really do have a new workplace identity. Likewise, one’s identity as a bank account holder is quite different from one’s identity as an employee. Try this thought experiment: your identity as an employee is suddenly destroyed when you are made redundant. How would you like your bank to know about this state of affairs before you’ve had a chance to make plans, evaluate your options, get another job? Your right to privacy could be deeply affected in a world where we arbitrarily hang different “roles” off the one uber identity.

Ironically I suspect that the singular identity paradigm is a child of the computer age. Before the Internet and before the advent of IdM, we lived happily in a world of plural identities - citizen, spouse, employee, customer, account holder, another account holder, patient, club member, another club member and so on ad infinitum. It was only after we started getting computer accounts that it occurred to people to think in terms of one “true” identity plus a constellation of “roles”; or to use the orthodox jargon, one authentication followed by multiple authorisations. So the irony is that very modern advances like the Laws of Identity might take us back to the way identities were before the Internet.

I said at the beginning that a paradigm can have implications that go unchallenged. Let’s consider the possibility that the singular identity paradigm has enabled, without anyone noticing, the rather too easy acceptance by security experts of biometrics.

The idea of biometric authentication plays straight into the orthodox world view that each user has one “true” identity. The widespread intuitive appeal of biometrics must be based on an idea that what matters in all transactions is the biological organism. But it’s not. In most real world transactions, the “role” is all that matters, and it’s only under rare conditions of investigating frauds that we go to the forensic extreme of locating the organism.

There are huge risks if we go and make the actual organism central to routine transactions. It would make everything intrinsically linked, implicitly violating Privacy Principle No1: Don’t collect personal information if it’s not required.

It is an interesting question to ponder why the security community, which is usually proud of its caution, is so willing to embrace so quickly the risks of biometrics. As noted in my previous post, biometrics perform way short of what one would expect. Compared with PIN numbers they're actually really lousy: 2 or 3 per cent False Match Rate compared with 0.03 per cent for a four digit PIN with three retries.

They're usually advocated for convenience as well as (or instead of) security, but on that score they're still problematic. Confirmation times can be a minute or more for commercial solutions (according to UK Customs Service testing); some years ago Disney World in Florida decommissioned their hand scan turnstiles because they couldn't get the response time down below 10 seconds. Worst of all from a security point of view is the impossibility of recovering from identity theft, since no known commercial biometric can be revoked and re-issued.

The irrational attractiveness of biometrics may be because we’ve been inadvertently seduced by the relatively new idea that a single identity would be sensible.