James Kobielus of Network World and the Burton Group has astonished me by calling upon me to abandon my “cypherpunk” ways.
He goes on to say that the Laws of Identity “are at odds with the real, legislated, post-9/11 laws in this country and elsewhere. There are overarching authorities who are rendering your hoped-for privacy-friendly identity regime politically infeasible.” He also says, “At heart, Cameron’s “laws” are merely ideological, normative precepts with a transparent agenda and a limited, though laudable, aim.”
The truth is that I am not animating this discussion for ideological reasons. The Laws are not sermons, but explanations of why previous identity systems have failed where they failed and succeeded where they succeeded. Further, they are ways of understanding what is required for identity systems to succeed in the future. Both”normative precepts” and ideology are legitimate objects of study by social science. Attempting to understand normative precepts is not itself ideological: normative behavior, some of which is transcultural, underlies social institutions. Social behavior and institutions shape many of the characteristics of distributed systems. As computer scientists, we need to take them into account.
People are befuddled by the question of terror, and this must please the terrorists. By far the greatest problem of terror is our vulnerability to it. At some point cyberterror will professionalize enough that it will graduate from attacks on single processes and machines to attacks on the distributed system and all its components. It is a race against time to get a universal identity system in place that can alone provide the infrastructural underpinning necessary to counter these attacks.
Everyone must understand identity for our virtual future (and the future virtual) to be safe. That means identity must be understandable. James surely agrees that the active support of millions of computer users will vastly speed the process of building an identity system. (And that their opposition would grind it to a halt.) So his dismissal of how the user is treated while we build the identity system totally mystifies me. Could he himself be subject to some ideology?
The laws do nothing to prevent legitimate investigators from getting relevant parties to share information which, once assembled, would confirm or rule out guilt. If anything, a system based on these laws would make such proofs more scientific. The laws simply prevent indiscriminate leakage of identity information. In this sense, they reduce peoples’ vulnerability to attack.
Nor do the laws prevent third parties (some of whom may present themselves as authorities) from making assertions. They simply propose that the identity system be built such that if the user is called upon to present such assertions, she can see what assertions are being made about her and decide whether to release them. This does not imply that a provider could not make opaque assertions – only that the user would understand they were opaque. The user might choose to release the assertions anyway – or find another more forward thinking provider who will compete by being open.
James offers four principles which I will examine some other time. But his theory that my identity is owned and controlled by the authorities who make assertions about me is really upside down. I assert, as an authority, that James is standing on his head. Do I now own and control his identity? It sounds like voodoo to me.
