I met with Phil Windley in person recently. We had a great exchange of ideas, and I was fascinated by his nuanced comments about identity and context.
I have the feeling I won't shock too many people by saying I am not the world's biggest fan of using the word “trust” to describe the means by which we evaluate the truthfulness of digital identity claims. And I have to hand it to Phil for humoring me during our conversation… But this caveat aside, I think Phil is onto something important when he talks about the one-time use of third-party claims to “transfer trust” – for example, the use a government identity to introduce oneself to a bank, even though it would not make sense to use that identity for daily transactions. This is an insightful contribution to the third law.
Phil has a special facility for concrete examples enriched by his long experience, including that as CIO of Utah. Phil blogged about some of these ideas today.
Identity credentials have contexts. When I was talking to Kim Cameron, he used the example of a Government issued passport and coffee club card. The context for the passport is a border crossing. The context for the coffee club card is buying coffee. Identity credentials are often used out of context. Sometimes, out of context use doesnt make sensethink of presenting the coffee club card during a border crossing.
Other times, however, its a critical part of establishing a relationship or transferring trust. As an example, you might use a credit card to pay for your purchase at the coffee shop and be asked to present some kind of identity credential. In that case, using your passport at the coffee shop would be out of context, but youd be doing so to transfer the trust that the government has that you are a particular person to the coffee shop cashier.
One identity credential thats frequently used out of context is the drivers license. Interestingly, if you ask the head of your States drivers license bureau if the drivers license is an identity document, youll probably be told noits official purpose is to authorize you to drive.
A recent move by the Utah Legislature to issue driving privilege cards (DPC) instead of drivers licenses to illegal aliens belies that. You might be scratching your head and asking why anyone would issue a drivers license to someone in the country illegally. The answer is very practical. Illegal aliens drive. When they drive, they sometimes get into accidents. Without a drivers license, they cant get auto insurance. By not giving illegal aliens a driving permit of some kind, you create a huge pool of uninsured motorists.
Issuing a DPC sends the message, loud and clear, that the drivers license is an identity document that is frequently used out of its original context. Of course, as a private citizen, youre free to recognize the driving privilege card as an identity document if you like. I suspect, for example, that it will be readily accepted as proof of age by convenience stores that want to sell beer and cigarettes. That kind of out of context use will continue.
The legislation specifically rules out certain contexts. For example, the DPC cannot be used to identify yourself when you fly. Nor can it be used to claim certain government benefits. Getting a drivers license opens the door to all kinds of opportunities in our country. The intent is that the DPC will not.
Theres a dark side to the DPC as well. I can be pretty sure that anyone presenting a DPC is illegal. This opens the door to all kinds of discrimination and abuse. Whether the DPC catches on remains to be seen. The Federal Real ID legislation will probably force other States down this or similar paths.
Phil has a book on Identity Management in the works which I'm sure readers of this blog will consider a thriller! He also just did a podcast for IT Conversations with Dan Solove, author of the Digital Person. If you missed my discussion of Solove's ideas, I join Phil in strongly recommending this book.