Third Law of Identity

The Fewest Parties Law of Identity

Technical identity systems MUST be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.

My own understanding of this law is one of the happy by-products of what I think of as my “Passport Aha”.

On the one hand, Passport has always been a system for authenticating to Microsoft&#39s “Internet properties”, and was immediately successful in this role.

On the other, it was positioned as an early identity service. Given my long-term interest in identity, I was personally skeptical about this broader use of Passport. It&#39s proponents argued that a centralized Internet service could act as an identity broker mediating between consumers and relying parties. They thought that life would be a lot easier (and more secure) if :

  1. consumers had a strong identity relationship with Passport ; and
  2. web sites started to use Passport identities to recognize their customers.

There were only two problems with the concept. The first was that web sites didn&#39t really want Passport mediating between them and their customers. And the second was that consumers didn&#39t see what Passport was doing there either.

Put in terms of the Third Law of Identity, beyond the perimeter of Microsoft&#39s own sites, few saw Passport&#39s presence in an identity relationship as being necessary or justifiable.

Some observers who are less than enraptured by Microsoft have explained this rejection of Passport by citing a widespread distrust of Microsoft. But I don&#39t subscribe to that explanation. There are, after all, a couple of hundred million active Passport accounts on any given day – the scale is amazing. But consumers use the accounts to access Hotmail and other properties owned by Microsoft – again, in accordance with the Third Law, where Microsoft&#39s participation in the identity relationship is necessary and justifiable.

I argue that all of us involved with identity should “listen up” to this experience and come to understand the Third Law.

For example, it is natural for governments to operate identity services. And it is natural for people to use government-issued identities when doing business with the government. But in my view, it will not be seen as “necessary and justifiable” to insert a government intermediary between family members seeking to verify identity or between a consumer and his hobby or vice. Thus the success of government-run identity systems will be determined by governments’ understanding of the Third Law.

The same is true of other identity providers. For now, I leave it as an exercise for the reader to explore the applicability of this law to various potential candidates for provision of identity.

Denver Post on Ping

Everyone should check out the Denver Post&#39s article on Andre Durand and Eric Norlin. It captures a lot about the whole experience of building Ping. And it contains the unforgettable line, which I hope I have made more flattering:

Norlin, known around Ping&#39s offices for his… humor, joked that cashing out is like a teenager&#39s view of sex. “You wish it would happen but you try not to think about it.”

Second Law of Identity

Second Law of Identity

Before we get to take a walk on the Norlin side, it&#39s time for the Second Law of Identity. And it&#39s simple enough:

The Minimal Disclosure Law of Identity

The solution which discloses the least identifying information is the most stable, long-term solution.

The thesis here is that the more identifying information is released, the more a solution invites abuse by rogue (and ultimately criminal) elements. We will return to a more rigorous discussion of these dynamics later in our conversation. For now, we will just point out that we are getting many reinforcing reports about the increasing professionalism and criminalization of identity attacks.

Let&#39s now go back to the case of Eric&#39s polycomm (by the way, I saw a ‘polycom’ at Bartell&#39s today ! – but luckily it only had a single “m”. I will try to get a photograph, though of course that might be dangerous…) If you missed out on the polycomm idea – which set the terms of reference for the current scenario exploration – please take a look at this.

The second law of identity tells us:

A solution in which the polycomm had to query my mobile phone for a social security number and then use this as a key for discovering the address of an all-knowing mp3 service would be much less stable than one which allowed the polycomm to query the mobile phone directly for the address of an all-knowing mp3 service.

But this latter would still be a relatively unstable service since it would need to be able to collect and potentially divulge all my music preferences.

The most stable solution would be one where the polycomm simply asked my anonymous (i.e. next generation) mobile phone what music selection “the anonymous I” would like to hear next.

In our example, the second law of identity applies as follows… (where “<” means “divulges less identifying information”)…

momentary anonymous listener preference < well-known individual music profile < citizen SSN

To consider potential economic value in these three cases:

Information linking my Citizen SSN to other identifying information is worth a lot. Protecting it is a complex and difficult long-term goal with continuously increasing associated costs, since this information will become an ongoing target of escalating professional attacks.

My full individual music profile – if systematic in the sense that computers can guarantee – has a potential (and therefore covetable) value for those marketing music.

But my “momentary anonymous listener preference” has no value to anyone but me.

Thus “momentary anonymnous listener preference” is a solution less likely to involve negative and anti-social side-effects than the other solutions.

And our law of identity is thus analogous to any prudent advice involving risk: minimize it.

If he walks like Eric, he is Eric

My discussion about the relationship between employees and employers seems to have moved Eric Norlin to drop his proposed amendment to the first law of identity… He still has questions, though, like “say my employer tracks my web surfing habits – do i have to explicitly hand that over? surely, my surfing tracks are an attribute of my identity”.

I hope the screenshot below will help convince him that again, the most natural (and defensible) way to organize things is for the employer to ask the employee for consent to track him. That&#39s what we do in these here parts, and it seems to work well enough. I guess if the employee doesn&#39t want to be tracked, he needs to ask for employment in a different department.

That said, I really like Eric&#39s invention of the term “identifiable walk” – though I draw different conclusions about it:

We all *do* things that can be abstracted that can be used to identify us — (this is the infamous tier 3 identity from andre&#39s article)….should we have control over ALL of those attributes? my gut says that would be impossible.

in fact, it may already be that way — we all have an identifiable “walk.” the TSA is testing programs that would use that to identify terrorist types. Should i have to give consent to that camera when i walk in the airport? or is my walking in the airport consent enough?

So now it&#39s on to discuss “Norlin&#39s Walk”.

Hard to argue

Craig Burton has been generously heaping kudos my way for aruging that a discussion of the philosophy of identity is orthogonal to the discussion we should have about the laws of identity. And I&#39m going to hold firmly to that direction, even though I received this titillating comment – probably more relevant to Scott Lemon&#39s Axioms – from David Rollow of CSG Systems.

Take a look at W. V. O. Quine&#39s essay “Two Dogmas of Empiricism” for relevant philosophical discussion about the most basic identity issues. If you understand it you will realize that the very idea of “axioms of identity” makes no sense. The “personal” identity discussion in philosophy is about things like persistence, sameness of tokens observed at different times, self-knowledge and self-identity, problems of no interest in the age of identity theft. The Quine essay is at a more fundamental level of discussion but it applies if you apply it.

Yes, the “it applies if you apply it” view of philosophy is hard to argue with, especially if you argue with it.

Reduced Realism

Do not worry! The graphic to your right is not really happening!

A picture named ms_con_mgr.gifI&#39m currently switching to a new Toshiba Portege tablet PC (the HP tablet I was trying before was too heavy and the screen was u-n-b-e-l-i-e-v-a-b-l-y small).

As part of the grossly tedious job of moving my environment from last week&#39s system to this week&#39s, I had to set up my connection to Microsoft&#39s “Corporate Virtual Private Network”. This is the system we use to get to corporate resources when we&#39re at home or on the road.

This task brought me to the screen shown here – I know it now looks pretty ugly but it was scaring some of our more “protected” readers so I reduced its realism. The content relates directly to the conversation I&#39ve been having with Eric Norlin about trends with regard to explicit versus implicit consent when releasing identifying information. To me it is further indication that employers are increasingly willing to seek explicit consent.

The most interesting thing about such consent is that it is about more than being “a good and progressive employer”: it actually puts employers in a stronger legal position should disputes arise about their collection of information.

Axioms of Identity

Scott Lemon, who was a driving force behind Digital ME and is now working on a project called Free ID, is posting a series of “Axioms of Identity“. We are dealing with some of the same issues, but at different levels of abstraction. I hope to reference Scott&#39s axioms later when I get to the third law of identity. But it is great to be able to ponder them now.

Mike Foley, who runs the Bluetooth SIG, has contacted me about my comments on identity issues with Bluetooth. He has very good news to bring to the table about enhancements to the Bluetooth spec which start to solve the current identity problems. He was more than gracious about asking me to review the emerging proposals and put me in touch with others in the SIG. It is great to have Mike join in the discussion, and I will be interviewing him as soon as I can.

I&#39m trying to move my site from radio.weblogs.com/0141875 to http://identityblog.com. Several readers thought we needed something easier to remember (!). I wish I could say the change is going smoothly. Right now everything is pretty mixed up, so please bear with me. Lawrance at Radio Userland is helping a lot. Wish us luck!

 

Dropping of an Identity Bomb

Craig Burton listened to Noel Anderson talking about the Bluetooth Identity Bomb and transcribed some of my interview with him. He was as blown away as I was.

Craig also says he wants to put my first law of identity into the lexicon crockpot. That is great news. Craig is a master of lexicon – we need him on this expedition.

For those new to the way a master like Craig does things, we aren&#39t talking seconds spent finding the right vocabulary. Or minutes. Or hours. Or even days, or weeks. We&#39re talking months. Sometimes years. But at the end of it all, the words might last ten centuries. I predict people will still be using our word Metadirectory in 3004. And it was Craig who had the discipline to work out all the aspects of the lexicon until they were irresistable.