Friday, May 04, 2007

Slicing the Identity Pyramid

Following on from a brief sojourn into topicality, maybe it is time to reconsider what exactly we are trying to do when we talk about identity checks or, more technically, identity assertion and verification (which are two different things, something that regularly eludes the 'biometrics will solve everything' brigade.)

At a very basic level, I am trying to do something that you want some people (of whom I may or may not be a member) but not everybody, to be able to do. Conversely, if you don't want anybody to be able to do it or if everybody can without restriction, identity checking is superfluous.

Let's look at a few examples, and then return to the basics.

Tickets: these often do not have your name on them but increasingly they do. Why? Well, in the case of common or garden train tickets, or even carnets, all the identity provider is interested is in obtaining their revenue. They don't care who you are (because there is minimal economic incentive in their collecting that knowledge and no regulatory insistence that they must) and, even, often don't mind if you share your carnet with a work colleague (as I often do). Where there is a name - for example airlines and sporting or entertainment events - this is because there is a clear incentive for them to link the ticket to a particular claimed identity. There is no real assertion of identity and the only verification / validation is that the token has not been used before.

In the case of the no-frills airlines, this is because their pricing structures are sufficiently obscure and highly variable that it is possible for outsiders to engage in profitable arbitrage. You buy future dated tickets for a busy route, taking advantage of the cheap deals available with sufficient notice and sell these, closer to the date, to somebody with less ability to forward plan. Having a name on the ticket and requiring you to show official ID renders this impractical (hence the large charges for, or forbidding of, changing the name on a booking.) Here the assertion of identity is at the point of ticket purchase (which can easily go wrong, although this example was a date rather than a name error) and the verification is at the presentation of official ID and the comparison of the names.

For venues, whose pricing is often both public and fixed, their motives are more public spirited. They are trying to prevent tickets from both getting into and being resold from the hands of touts. Not to increase their revenue (except possibly in the case of corporate hospitality boxes) but to ensure that real fans can buy tickets at the intended price (I am probably being slightly too kind to them here.)

Let us take a counter-example of retail banking. My bank cares who I am. It wants to know how to accurately credit score me (although past behaviour is not a guarantee of future performance :). It is required, by anti-money laundering legislation and regulation, to recognise the sources of any large money flows in to and out of my accounts. It doesn't, to many people's surprise, care much that my real name is on my bank cards or cheque books (pace the many entertainers with accounts in their stage names.) In fact one of my banks consistently gets my name (inconsistently) wrong. All they care about is that the card securely (for some definition of the word) links me to one or more specific accounts and that they are sure of the identification of that account holder within their risk appetite. This applies just as much to old-fashioned anonymous banking and the new pay-as-you-go debit cards. Here, within the limits of what is possible under the regulatory regimes, all the identity necessary is the cash sum that originally backed the card on issue. As far as cards purchases go, the assertion isn't the name printed on the card, but the account number read from chip or swipe. The PIN (or signature) forms the identity verification - weak, as has been argued in many places but possibly risk-appropriate (at least from the bank's point of view) where the loss is merely financial.

Passports - the government want to know, as closely as practical, who you are but the more-or-less ubiquity of the requirement in the modern world means that they can't charge enough to do a proper job. Hence the counter-signatory on the application and the photographs. You assert your identity on the form and it is validated by your countersignatory. Once issued, of course, you still assert your identity, but it can now be validated by the passport (including printed and digital photographs, signature verification, counter-fraud checks and if you are unlucky, a range of biometrics).

So, back to fundamentals of identity.

Let us assume the philosophical point that we actually have an absolute identity, happily granting that to Monsieur Descartes. However, our assertion of our own personhood, while metaphysically pleasing, is absolutely no use when it comes to real world applications (I may assert that there is a couple of million £ in my bank account - would you believe me?)

Therefore, identity is asserted through the medium of a mutually trusted party. Sometimes, the medium can be extremely weak: the wearing of certain clothing (uniformed police officer or a priest). Sometimes it is asserted through technology - credit cards. Sometimes it is asserted through personal introduction (why would the Scotsman, say, claim one of their commentators is a Professor, if they are not.)

However, the real world aspect of identity is that it relies on different levels of both assertion and granularity for different purposes. This is where schemes like the UK Government's Identity Card fall flat - they have a (designed to be, even if it falls short in practice) strong and individual identity core, which they then want us to use for situations where we need to evidence a much less granular identity. Putting aside the likely success of an extremely large Govt IT project using unproven technology and the hideous statist control-freakery that is the National Identity Register, mere use of the card seems a breach of privacy in many circles.

I would not have objected to having to show an identity document if they had let me vote in person yesterday - voting is both sufficiently important an activity that a significant degree of control is reasonable and one where personation has been rife in the (recent past). On the other hand, why should there be any requirement to prove my actual personal identity to buy goods? All that should be necessary to prove to the vendor is that the financial intermediary will stand for the payment (practically, this may involve me proving my rights to draw on a specific and named account to the intermediary - but not necessarily my identity and not to the merchant.)

In the real world, identity solutions will need to involve differing levels of trust and granularity. They need to be robust against systems and communications failures, user and administrator errors and deliberate attack. The government are not trusted, by individuals and organisations, to get things right with sufficient regularity for them to be the trusted third party (see the chaos in yesterday's voting technology). Retention of widely heterogenous identity systems, including many with little up-front granularity, and minimal linking of back-end databases, is going to be increasingly vital for privacy and the effective functioning of society as the technical ability of the public and private sectors to retain, cross-link and search data increases.

Sorry for the ramble.


No comments:

HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.