If you haven't read Jim Harper's book, Identity Crisis: How Identification Is Overused and Missunderstood I urge you to do so as soon as you can.
I was initially a bit skeptical about this book because – I hope my more politically inclined friends will forgive me – it was published by what I assume is a political “think tank”. I worried it might reflect some kind of ideology, rather than being a dispassionate examination of reality.
But in this case I was wrong, wrong, wrong.
Jim Harper really understands identification. And he is better than anyone at explaining what identification systems won't do for us – or our institutions. He carefully explains why many of the proposed uses of identification are irrational – delivering results that are quite unrelated to what they are purported to do. In my view, getting this message out is just as important as explaining what identity will do. In fact it is a prerequisite for the identity big-bang. There are two sides to this equation an we need to understand them both.
He directly takes on the myth that if only we knew what peoples’ identifiers were, “we would be safe”. Metaphorically, he is asking what kind of plane we would rather fly in – one where the passengers’ identifiers have been checked against a database or one where they and their luggage have been screened for explosives and guns?
I think he will convey to “lay people” why a so-called “blacklist” is one of the weakest forms of protection, showing that all you have to do is impersonate anyone not on it to sneak through the cracks.
The book is full of important discussions. It has chapters like “Use identification less” and “Use authorization more.” I have only one criticism of the book. I would like to see us separate the notion of identity, on the one hand, and individual identification (or identifiers) on the other. We need return to the original meaning of identity: the fact of being who or what a person or thing is.
As a simple example, suppose I'm a service provider building a chat room for children, and want to limit participation to children who are between 12 and 15. Let me contrast two ways of doing this.
In the first, all the children are given an identifier. To get into the room, they present their identifier and prove they are the person to whom that identifier was given. Then the chatroom system does a lookup in some public system linking identifier and age to make the access control decision.
In the second, the children are given a “digital claim” that they are of some age, and a way to prove they are the person to whom that “claim” was given. The chatroom system just queries the claim to see if it meets its criteria. There is no reference to any public or even private identifier.
My point is that the first mechanism involves use of an identifier. The second still involves identity – in the sense of being what a person is – but the identification, so rightly put into question by Jim's book, has been put into the trashcan where it belongs.
The use of an identifier in our first example breaks the second Law of Identity (Data Minimization – release no more data than necessary). It breaks the third Law too (Fewest Parties – since it discloses use of information to a central database unnecessary to the transaction). Finally, it breaks the Fourth Law (using an omnidirectional identifier when none is required).
The book was written before “claims-based thinking” began to gain mindshare, and so it's missing as a category in Jim's discussion of advanced identity technologies. But we've talked extensively about these issues and we have concluded that we have no theoretical difference – in fact the alignment between his work and the Laws of Identity struck us both as remarkable given that we come at these issues from such different starting points.
Jim's book is wonderful reading. It should help newcomers better understand the Laws of Identity. And this week the Cato Institute in Washington held an event at which Jim spoke, along with James Lewis, Director and Senior Fellow, Technology and Public Policy Program Center for Strategic and International Studies; and Jay Stanley, Public Education Director, Technology and Liberty Project American Civil Liberties Union.
Download the podcast or watch the video here.