The Fifth Law of Identity

Doc Searls has written about a conversation he had where Dave Winer says:

Doc Searls, bless his heart, offered RSS and podcasting as examples of technologies that were simple, therefore successful, and suggests that identity, if it were to be approached the same way, might have similar success. Bzzzt. Wrong. RSS was not easy, it was hard, for exactly the same reasons identity is hard. Too many cooks spoil the broth. Two ways to do identity is one too many.

The problem is that – at the same time – one way to do identity is too few. And this is what explains why the creation of a universal system of identity is one of the greatest challenges blocking the evolution of technology and the virtual world.

If you think about the requirements for governmental identity as expressed, for example, by the authors of the British Identity Card Bill we have just been considering, it becomes pretty clear that what may fly in the United Kingdom might not be appropriate for use in the Netherlands or even the United States. How would imposition of a Chinese-designed identity system go over in Texas? (Or put another way, how would the hegemony of a Redmond-designed system be received in Brussels?)

Further, a system appropriate for use with any government would in general be unsuitable for use in identification of employees by an employer.

Customers and individuals browsing the web will in turn want different levels of privacy than is likely to be provided by any employer.

So when it comes to identity, it is not only a matter of having identity providers run by different parties (including individuals themselves), but of having identity systems that offer different (and potentially contradictory) features.

A universal system must therefore embrace differentiation, while recognizing that each of us is simultaneously – in different contexts – a citizen, an employee, a customer, a virtual persona.

Thus I would say to Doc and Dave that different identity systems need to be able to exist in a metasystem based on a simple encapsulating protocol and surfaced through a unified user experience that allows individuals and organizations to select the appropriate identity providers and features as they go about their daily activities.

To put all of this another way, the universal identity system must not be another monolith. It must be both polycentric (federation implies this) but also polymorphic (existing in different forms). Which leads directly to the fifth law:

The Law of Pluralism:

A universal identity system MUST channel and enable the interworking of multiple identity technologies run by multiple identity providers.

It is this which will allow an identity ecology to emerge, evolve and self-organize.

Dave Winer's RSS is so powerful because it vehicles any content. We need to see that identity itself will have several – perhaps many – contents, and yet these can be expressed in a metasystem.

We need a good outcome

William Heath from Ideal Government has responded to my previous post, saying:

I agree with your comment about the riskiness of the central register and I think your suggestion that identifiers be unidirectional is very sensible.

He goes on to make the sobering point that “… it may take ten years (and another massive IT project failure) for people to work out why doing ID in this way (omnidirectional identifier – Kim) is not such a good idea.” He continues:

I wish we could make people more motivated about this sooner, because we need a good outcome.

Thank you anyway for the laws of ID, and getting stuck in to this specific case study. From where I'm sitting this is far from academic.

Yes, we need a good outcome: systems that are beneficial to the individual and to to her society; and systems that are widely seen to be beneficial. Systems that are safe against attack over very long periods of time (should we say, practically forever?) Systems that are designed for minimal entropy, that are likely to leak as little as possible despite all the conspiring forces of time, overconfidence, incompetence and evil.

Now, please, tell me how we transform the discussion on identity from one in which brick and mortar politics are flung about to one in which we calmly come to grasp the practical matters involved in building new virtual social institutions that combine technology and social contract. William's comment that proponents of the current bill “call their critics intellectual pigmies” is indicative of how far we still need to go.

We need to move beyond moral imperative. We need a way to transform the tenets of the current debate to a pragmatic one based on maximizing social cohesiveness and minimizing system entropy and economic risk – as I have argued here and here. I'm starting to understand that the Laws of Identity must be accompanied with a systematic examination of the problems of long-lived technical systems.

Brick and Mortar Cards with Chips

British Identity CardI&#39ve been learning more about British Identity Cards. Here is how the BBC covered introduction of the legislation by Home Secretary David Blunkett, who said polls showed 80% of the population supports the initiative.

The proposed Bill is short (sixty pages) and makes an interesting read – if you are an identity freak. The typical Labour Member of Parliament talks about it this way. The Conservative Party supports the initiative too (though it worries that it is tainted by Labour&#39s sponsorship…) At the other end of the spectrum, the Liberty human rights organization (no resemblance to the American Liberty Alliance) is critical for several reasons – including cost and the lack of protection from “feature creep”. The BBC&#39s ‘briefing page” is here.

The plan is to phase the card in over time, and although its use is initially optional, the bill lays out procedures to make procurement of a card mandatory for various “groups of persons”. Everyone would be required to have a card by 2013. People will use the card in order to gain access to government services – or when required to do so by the appropriate authorities.

The British card is so far very much framed for use in the brick and mortar world. It ties citizens to an entry in a centralized “registry” that would contain the following information (details are here):

  • personal information: names, birth date, current and previous addresses
  • identifying information: photograph, signature, fingerprints, other biometric info
  • residential status: nationality, terms and conditions of entitlement to remain in the United Kingdom
  • personal reference numbers: national identity number, national insurance number, and the numbers on ID cards, passports, immigration documents, work permits, driving license, and other documents issued
  • record history: circumstances surrounding changes in information; date of death
  • registration and ID card history
  • validation information
  • security information: personal identification number, password, questions and answers used for identification
  • records of provision of information: all kinds of information about the circumstances under which information from the registry was disclosed to others

Reading the Bill, there is no obvious discussion of use of the cards for identification in the virtual world. Yet it is inevitable, going forward, that as more governmental services are offered through electronic means, the government identity card will become a digital identity for use in dealing with Government services.

We can thus say that from the point of view of creating a universal system of digital identity, initiatives such as this one are essential features of the emerging landscape. A universal system should be able to integrate governmental identification in the appropriate contexts, which in turn will vary on a national basis according to what the British Information Commissioner calls “the relationship between state and citizen”.

The issues of identity in the Brick and Mortar world are outside the scope of the discussion I am animating here. But it seems the British Government could benefit by looking into the Fourth Law of Identity, and actually taking more advantage of the cryptographic capabilities of state-of-the-art cards. So far, it seems that the new identity cards, despite the presence of a nice golden chip, are conceived of just like their old-fashioned plastic predecessors.

The government says it is far too early to have worked through the specific implementation that will be deployed – and that it is still open to proposals. So maybe technical thinkers in Britain will be able to convey some of the technological options which can better achieve the purposes behind this initiative.

After all, David Blunkett says, “ID cards will mean people have to give the state less information about themselves.” And Tony Blair says that ID cards would “protect rather than erode civil liberties”. This is actually possible if the card is thought out better. But there is a lot of work to do.

For example, the card could emit unidirectional identifiers for each division of government. Though unidirectional and relevant only in the world of a given department, the identifiers would uniquely identify a person as qualifying for services. In such a scheme, one&#39s health records would not be keyed directly to one&#39s driving license or income taxes, because the card would produce a different, but still official, identifier for each department. The various departments could then be made accountable for storage of only that information which concerns them. And a breach of one of these systems would result only in the breach of a small subset of a citizen&#39s information, directly addressing the legitimate concerns of the Information Commissioner.

At the same time, the full set of unidirectional identifiers associated with a given person could be made available through another closely guarded system. The security of this system could be based on separation of duties – such that some procedure would need to be followed to obtain knowledge of the set of identifiers emanating from a single ID card. Armed with this set of unidirectional identifiers, an authorized investigator could assemble relevant information from all the departments stewarding specific knowledge. By combining cryptography, networking and web services, this kind of distributed system would provide information in as timely a manner as the one currently proposed.

In this scenario the state obtains the ability to garner the information it needs while protecting the privacy of its citizens and without creating a central storage site that would be nothing if not an information-disaster-waiting-to-happen. As a technologist I worry that the registry, as currently described, has been devised without regard to the laws of entropy. Why create a single system that knows everything and thus needs to be accessible by far too many people given the value of its contents?

Somehow I am certain that no political person or senior civil servant would want to be the father of a system embodying so much risk when the same results can be achieved without any risk at all. I hope that as the project goes forward this thinking can be communicated to those involved.

Identity and eGovernment in Britain

I&#39ve been taking occasional breaks from the long-running Christmas party and swimming upstream into my email torrent.

I have to recommend the British Ideal Government blog – “a web user&#39s antidote to personal frustration with public services” run by William Heath as a kind of wikki with a lot discussion of eGovernment and related subjects. It seems to be a good vantage point from which we in North America can get an unofficial view of the approaching British rendezvous with government identity cards.

Having myself followed William&#39s advice on this matter, I recommend that everyone interested in identity issues read the British Information Commissioner&#39s perspective on the Identity Cards Bill.

Of course, government eIdentity cards run smack into the Law of Fewest Parties (Third Law of Identity):

Technical identity systems MUST be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship. (Starts here…)

Interestingly, this law is well understood by the Information Commissioner, who has obviously thought long and hard about these issues (American readers are advised not to miss the understated intensity of the words ‘myriad’ and ‘plethora’):

The problems (…administrative and technical – Kim) would be substantially exacerbated if it becomes the norm for a myriad of organisations – including commercial bodies – to check the Register for a plethora of purposes completely unconnected with those public interest objectives set out on the face of the Bill (Clause 1(4)).

One of the most thought-provoking aspects of the proposed scheme is the auditing of uses of the identity asserted by the card. This aspect of identity systems is one to which we will dedicate considerable attention going forward.

The example is given of employers being required to verify a person&#39s right to work before hiring them. This would involve the card-holder (in conjunction with the employer?) accessing “the registry” by using the card. The card&#39s use would in turn be recorded as part of an ever-growing audit trail of transactions associated with the subject. The commissioner points out that in this kind of scenario, much more guidance is required. Is the card to be used and audited every time you apply for a job? Only when the job offer is accepted? And above all, why?

We will all learn a lot by watching Britain grapple with these issues. In Britain there seem to be many mixed opinions. But it is encouraging that the national identification card is not proposed as a universal or commercial identity. It seems to be intended for use in official government contexts, making it conform to the Third Law.

Spying on high tech won’t trump terrorists use of low tech

On Monday (December 20th) my flight became substantially shorter and cheerier when I came across a terrific piece by Tom Zeller Jr. in the New York Times. “On the Open Internet, a Web of Dark Alleys” (registration required) cogently introduces the general reader to the idea that there is no magic privacy-invading wand that can be waved over the internet to protect it from criminal elements.

As Zeller says, “the troubling truth is that terrorists rarely have to be technically savvy to cloak their conversations. Even simple, prearranged code words can do the job when the authorities do not know whose e-mail to monitor or which Web sites to watch.”

Zeller says it is widely believed that Mohammed Atta, suspected of being the leader of the Sept. 11 hijackers, transmitted this final message to his co-conspirators over the Internet: “The semester begins in three more weeks. We&#39ve obtained 19 confirmations for studies in the faculty of law, the faculty of urban planning, the faculty of fine arts, and the faculty of engineering.” Encryption was hardly necessary – who but the participants would imagine that the faculties represented the World Trade center and the Pentagon?

To drive the idea home, Zeller then reports on an another extreme case of how low tech trumps high tech:

Michael Caloyannides, a computer forensics specialist and a senior fellow at Mitretek Systems, a nonprofit scientific research organization based in Falls Church, Va., said the nature of a networked universe made it possible for just about anyone to communicate secretly. Conspirators do not even need to rely on code-hiding programs, because even automated teller machines can be used to send signals, Dr. Caloyannides explained,

A simple withdrawal of $20 from an account in New York might serve as an instant message to an accomplice monitoring the account electronically from halfway around the world, for example.

Tom Zeller has an amazing talent for making complex ideas seem simple. It is great to have him thinking and writing about these widely misunderstood issues.

Conspirators are able to make use of the current internet – an insecure internet which leaks personal information and is contemptuous of privacy – to help accomplish their goals. There is no silver bullet that can stop the kinds of attacks Zeller describes. But we do know that an internet with a stronger identity framework, including more privacy, would make citizens, businesses and governments safer in many other ways.

Standing on his head

James Kobielus of Network World and the Burton Group has astonished me by calling upon me to abandon my “cypherpunk” ways.

He goes on to say that the Laws of Identity “are at odds with the real, legislated, post-9/11 laws in this country and elsewhere. There are overarching authorities who are rendering your hoped-for privacy-friendly identity regime politically infeasible.” He also says, “At heart, Cameron’s “laws” are merely ideological, normative precepts with a transparent agenda and a limited, though laudable, aim.”

The truth is that I am not animating this discussion for ideological reasons. The Laws are not sermons, but explanations of why previous identity systems have failed where they failed and succeeded where they succeeded. Further, they are ways of understanding what is required for identity systems to succeed in the future. Both”normative precepts” and ideology are legitimate objects of study by social science. Attempting to understand normative precepts is not itself ideological: normative behavior, some of which is transcultural, underlies social institutions. Social behavior and institutions shape many of the characteristics of distributed systems. As computer scientists, we need to take them into account.

People are befuddled by the question of terror, and this must please the terrorists. By far the greatest problem of terror is our vulnerability to it. At some point cyberterror will professionalize enough that it will graduate from attacks on single processes and machines to attacks on the distributed system and all its components. It is a race against time to get a universal identity system in place that can alone provide the infrastructural underpinning necessary to counter these attacks.

Everyone must understand identity for our virtual future (and the future virtual) to be safe. That means identity must be understandable. James surely agrees that the active support of millions of computer users will vastly speed the process of building an identity system. (And that their opposition would grind it to a halt.) So his dismissal of how the user is treated while we build the identity system totally mystifies me. Could he himself be subject to some ideology?

The laws do nothing to prevent legitimate investigators from getting relevant parties to share information which, once assembled, would confirm or rule out guilt. If anything, a system based on these laws would make such proofs more scientific. The laws simply prevent indiscriminate leakage of identity information. In this sense, they reduce peoples’ vulnerability to attack.

Nor do the laws prevent third parties (some of whom may present themselves as authorities) from making assertions. They simply propose that the identity system be built such that if the user is called upon to present such assertions, she can see what assertions are being made about her and decide whether to release them. This does not imply that a provider could not make opaque assertions – only that the user would understand they were opaque. The user might choose to release the assertions anyway – or find another more forward thinking provider who will compete by being open.

James offers four principles which I will examine some other time. But his theory that my identity is owned and controlled by the authorities who make assertions about me is really upside down. I assert, as an authority, that James is standing on his head. Do I now own and control his identity? It sounds like voodoo to me.

Totally awake at the wheel

Marc Canter must have a news reader running real-time, because he just replied:

Fine – I&#39ll trade yah some MSDN manuals, PDC bookbags and some old Flight Simulator disks for some juicy broiled prawns and a cup of hot apple cidar.

I really need more PDC bookbags for my collection, so this sounds like a great compromise. By the way, Marc is a guru and if anyone should get fees it is him.

Totally asleep at the wheel

I just received mail asking why I hadn&#39t answered the marvelous post by Marc Canter, father of Macromedia. I have to admit I was totally asleep at the wheel – could it be my day job?

Marc opines in his lovable blend of angel and baseball bat:

Here&#39s where Kim tells us about how ‘Passport is dead’ – while simultaneously being used by 200M people. MSN Spaces sure uses it. ]

I&#39d bet that his new InfoCards technology super-sets Passport – making it just one of many identity systems – which all have to work together. So Sxip, Liberty and Passport/WS-* all using i-names, FOAF and XFN. To be exact.

So what I&#39d say to Kim is: “Hey Kim? Where&#39s that all expense paid, guru fees junket, PR suck-up strategy session where Microsoft pays us to go up there, eat Oyster stew and learn about InfoCards?”

And we reply with even more open source ideas – for free.

Well, I&#39ve been trying to animate a discussion about the objective factors constraining what an identity system must be in order to be successful. And a bunch of the people you mention are looking at this deeply and thinking about the fundamental issues in identity that will make a universal system possible.

I don&#39t personally think that Microsoft should operate an identity provider other than for its own properties – and I don&#39t think that&#39s in our plans. I do think we should provide great identity software – that interoperates with great identity software from others. I also think MSN properties should be able to use other identity providers if that&#39s what people want – so Passport needs to be able to federate in that sense.

Further, I&#39m convinced no one will get out of this without reving what they&#39ve done so far. We all need to move forward. And I think this discussion shows many people are willing to move forward.

So yes, we need an open, inclusive system, but the constituent technologies all need to come into alignment with the laws of identity in order to succeed.

By the way, I want to organize some meetings. And I&#39ll bet I can get Microsoft to spring for the oyster stew. But if I don&#39t want the meetings to be PR junkets – and I don&#39t – I&#39m worried we&#39ll have to dispense with the all-expense paid guru fees part.

Mark Wahl on the Third Law

Anyone who knows LDAP has probably heard of Mark Wahl. And they will likely enjoy this amazing page which defines Mark – are you ready? – as an OSI OID. For those who don&#39t know about this type of thing, oidy is way beyond nerdy (in the positive sense). But those were the days when we were young and flush with the first blush of LDAP. There was a “whole lot of LDAP goin’ on”!

Mark was co-author and editor of the LDAP V3 specification. He built great directory at Innosoft, which was acquired by Critical Angle, which was acquired by SUN, and he contributed many ideas and refinements to the standardization of directory protocols. These days he has left SUN and has a startup called Informed Control.

While the First and Second laws didn&#39t seem to wrankle him, he sent me extensive comments on the Third Law. I have posted them here.

Remember the Third Law? (If you need more context, check out the RECAP link on the identityblog home page.)

The Law of Fewest Parties

Technical identity systems MUST be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship. (Starts here…)

While Mark admits I gave some good examples of the usefulness of this law, he asks – and several other commentators have done the same – “Justifiable to whom? And who or what does the justifying?” He argues, “there may not even be agreement among the parties that one or more parties belong in the relationship”.

He then presents a number of examples in which identifying information is routinely forwarded to parties the consumer did not consider to be involved: a clearing house in an electronic funds transfer, a debt collector in the case where a consumer doesn&#39t pay a debt, a government agency during a criminal investigation. “Today when a consumer signs up to a service provided by a bank or credit card issuer, they implicitly agree to share their identity information to a large and unbounded set of parties.”

What does the justifying? And justifiable to whom?

The First Law of Identity requires that disclosure of identity or private information be under the control of the party who is disclosing it. Doing so must make sense to her. So the justification requirements of the third law apply to the subject who is disclosing.

The identity system must make its user aware of the party or parties with whom she is interacting while sharing information.

Further, the system must be “translucent”. The user needs to understand the system, as we will see in an upcoming law. In the physical world we are able to judge the situation we are in and decide what we want to disclose about ourselves at any particular time. And we must be granted the same level of control in the cyber world.

Having disclosed an identity to another party, that party may have reason to pass information along to third parties. So it should provide the disclosing party with a policy statement about information use. This policy should govern what happens to disclosed information – I save this discussion for another day. But I&#39ll suggest in passing that one can view this policy as defining “delegated rights” issued by the disclosing party.

No limits should be placed on how the party to whom I disclose information organizes itself, as long as it responsibly applies the policy under which I shared information.

Clearly such a policy would allow all parties to respond in the case of criminal investigations – but this does not mean the state is a therefore party to the identity relationship! Of course, this should be made explicit in the polcy under which information is shared.

The cases presented by Mark all dissolve as exceptions in light of this thinking.

Stefan Brands’ Identity and Privacy Reading List

I asked Stefan Brands, who has both an academic and practical interest in identity systems, to put together a reading list of interesting papers and books on identity-related issues that we should take a look at. And I&#39m sure most of us will enjoy seing what he has set out for us… I&#39ve posted it here. Maybe one of these will be the perfect “holiday gift” for your spouse (or your spouse&#39s spouse).