[Dave Birch] Identity issues have been steadily climbing the agenda with many of our clients and as we put more thought into the subject, more complexities are uncovered. It’s not going to be easy to develop the next-generation identity infrastructure that we all seem to want and one of the main reasons why it is difficult is that none of us can agree on what it should be. Not in technology terms (although we can’t agree on that either) but in terms of the vision. What do we want from next generation identity?
One day we’ll see a blending between our virtual identity and our physical identity. In many ways, the web is the backbone for what’s coming next. We’ll see the integration of digital services and apps into our real-world environment.
I’m sceptical about this, because I think that in the future people will have multiple virtual identities. This is a fundamental conceptual disagreement. It isn’t resolvable in technology space. In terms of vision, there is no overlap between this view and the view of, say, Charles Raab, Professor at the AHRB Research Centre in Intellectual Property and Technology, School of Law, University of Edinburgh. When speaking at “The Life of Mobile Data” at the University of Surrey back in 2004 Charles said that “In the world of post-modernism, it is no longer clear that any one identity is ‘real'”. I still think this one of the most insightful comments I ever heard on the topic, and one that continues to have a profound impact on my thinking in this area.
But what does it mean? Here’s a practical and immediate example. The British government has announced that it is to reform the Witness Protection Scheme (WPS) which, as the name suggests, protects people who have given evidence in criminal trials. The people and their families are given new identities and moved to another part of the country to start a new life. There are currently 3,000 people under protection in this way.
The UK’s first national witness protection scheme has been launched to overhaul the currently “inconsistent” approach to keeping vulnerable people safe, the Ministry of Justice has said.
Witness protection is one of those cases that makes the design of an identity system interesting and complex. During my time as a member of the Home Office Advisory Forum in the days of the proposed UK national identity card, witness protection was one of the factors that persuaded me that a token-based solution was the way forward, rather than some form of purely biometric solution.
There’s a great danger in accepting an infrastructure of passive identification where you, the target, do not have a choice in how you are identified. It may seem superficially attractive to have network-based solutions that do not require tokens, but I really don’t want websites to use a plug-in that identifies me every time I visit them. This is not because I’m in the witness protection programme but because I want a very basic choice of interacting as Dave Birch the private citizen or Dave Birch the executive officer of Consult Hyperion or John Doe.
In such a system, how does the identity infrastructure know which identity to use? I suppose one way of determining which identity might be returned would be to look at the nature of the request. Imagine a national identity service that was solely based on personal characteristics. It doesn’t matter whether they are your fingerprint, face, typing pattern or anything else. The chap at the pub wants to know whether you are 18 or not, so he captures the relevant characteristic (let’s use fingerprints for the purposes of discussion) and fires it off to the identity service. The identity service sees that your fingerprints appear twice in the record: once for your “real” identity and once for your “witness” identity. Since it is a pub asking, the service sends back your witness identity and life goes on. But, for example, if it is a policeman asking, then the system might return both identities. This would of course be insanely dangerous because, as is well documented, unauthorised access by policeman and others to existing databases is rampant and it will be no trouble for criminals to determine previous identities. In the case of the ill-fated UK national identity card, unauthorised access to the identity database started even before the system went live.
Nine U.K. government workers have lost their jobs after misusing their access privileges to view personal information on public citizens stored in the government’s national identity database… 34 U.K. local council employees were found to have illegally accessed the Customer Information System (CIS) database, according to a news report. The CIS is one of three systems that will constitute the U.K. government’s national identity database…
It’s one thing to have trusted and vetted and responsible council workers rummaging around in a National Identity Database, but imagine what happens when just about anyone gets access to that database and it is recording who is in the WPS. Actually, you don’t have to imagine it because we already know.
The British Broadcasting Corporation (BBC) indicated in a 2009 article that, according to a report by a Mexican magistrate, [translation] “the majority of protected witnesses who have cooperated with the judicial system in Mexico have been assassinated”.
[From UNHCR | Refworld | Mexico: The use of government databases by third parties to locate persons; privacy issues; security of information about witnesses in the witness protection program (2008-September 2011)]
If you are a spy, or an undercover policeman, or in the witness protection programme, or perhaps even a restaurant critic, you may have perfectly legitimate reasons (in some cases very literally a matter of life and death) for wanting one identity asserted over another. Who controls this? In a token-based environment, there is no problem. A policeman stops me in the street and wants to know who I am. I take out my phone and touch it against his phone. His phone requests and authenticated identity, my phone asks me for a PIN or pass code which I enter, and my phone sends back my driving licence which includes a photograph that is displayed on the policeman’s phone. In this latter case, my personal characteristics might form part of the process but for the purposes of local authentication against the token: thus I might be required to speak into my phone or present my fingerprint to the phone, or whatever, but this would be used only within the phone for template matching. Google has apparently come out in favour of tamper-resistant hardware tokens, which ought to finally give impetus to this approach in the mass market.
An identity service founded on the principles of post-modern relativism thus has no problem dealing with the multiple identities. In essence, it would treat all identities as pseudonyms. The use of the pseudonym that happened to coincide with your “real” name would not be a special case. To see what I mean, imagine that my name is Jelly Dave (an epithet earned through my knowledge and skill in using gelignite to open safes). I fall out with Mr Big, the head of my gang of bank robbers, and I decide to turn Queen’s Evidence and start a new life. Quite straightforward: my digital identity is revoked and I’m given a new one. I use that digital identity to obtain a new pseudonym from the national identity service (in essence, I send them my blinded public key, they send me back a signed public key certificate and then I remove the blinding) and I’m now Telly Dave, a couch potato from Woking. If a policeman stops me in the street, my phone tells him that I’m Telly Dave. If he is corrupt, it doesn’t matter, because there is no link between Telly Dave and Jelly Dave. The pub, the policeman and everyone else is provided with a pseudonym, not the underlying real identity. And since neither the pub nor the policeman has access to the biometric register that ensures uniqueness, they never the Meaningless but Unique Number (MBUN) that connects the pseudonym to the physical entity.
(The key to making all of this work is to separate the relationship between the “real” person and the pseudonym through the mediating relationship of digital identity, but that’s not really what I want to discuss here.)
Incidentally, I know we only tackling part of the problem here because the witness protection issue is about to get substantially more complex (unless my idea of issuing standard Facebook-blue burkhas to the population takes off). Using digital identity infrastructure it is easy to give you a new pseudonym, but it is not easy to give you a new social graph. Witness protection in the age of Facebook is a whole lot more complicated because protecting your privacy in an online age is a minefield, as “Real Names Randy” Zuckerberg just found out. My new identity of Telly Dave is sooner or later going to get tagged in a photo somewhere that will end up with Mr Big. So without knowing anything about the WPS itself, or how the government proposes to restructure it and centralising, I would think that it has a massive job on its hands to set about forging the social graph for spies, undercover policeman, protected witnesses and restaurant critics in the face of services like Andrew Nash’s new venture Trulioo, which helps to uncover phoney Facebook identities. I would imagine that services like this will make it much harder for the WPS to maintain social graphs for people who need protection. Someone out there must have thought about this, so I’m desperately keen to read about potential solutions. Links please!
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers