Why is digital identity so tricky? The past decade is littered with earnest initiatives that failed to meet expectations (like the
Australian Trust Centre) or consortia that over promised and under delivered (such as Liberty Alliance). Now we have the
Open Identity Exchange which is said to reflect an "ecosystem" of identity providers and consumers. The Whitehouse's high minded
National Strategy for Trusted Identities in Cyberspace has adopted the ecosystem as a given.
All such "federated identity" models start with the intuitively appealing premise that if an individual has already been identified by one service provider, then that identification should be made available to other services, to save time, streamline processes,
reduce costs, and open up new business channels. It's a potent mix of supposed benefits, and yet strangely unachievable.
True, we can now enjoy the convenience of logging onto multiple blogs and social sites with an OpenID, or an unverified Twitter account. But higher risk services like banking, e-health and government welfare stand apart, still maintaining their own identifiers
and sovereign registration processes.
To my mind, the fashionable open identity approach is ironically lumbered with the same lofty ambitions that killed off traditional Big PKI. The express aim is to create "trust frameworks" sufficient to enable business to be conducted amongst strangers.
To this end, federated identity proponents implore banks and government agencies to re-invent themselves as "Identity Providers" in accordance with the weird and wonderful
Laws of Identity.
The Laws of Identity embody some powerful ideas, especially the view that when we go about our business, each of us exercises a plurality of virtual identities. In different settings we present different identities, each standing as a
proxy for a complex and bounded relationship. We have different relationships with various entities and services: banks, government agencies, health services, employers, stores, professional associations, social networks and so on. Each identity is
context dependent, and can lose its meaning when taken out of context. To that extent, the concept of
interoperability needs very careful consideration.
[My identity as a customer of one bank 'A' doesn't "interoperate" with any other bank 'B'; to bank B I am always a customer of A. If I want to avail myself of bank B's services, I need to open a fresh account, and establish a fresh identity.]
[It's surely significant that interoperability doesn't actually figure anywhere in the
Laws of Identity - I think because it's often moot].
But for the most part, the Laws of Identity and the new ecosystem model are chockfull of unfamiliar abstractions. They deconstruct identities, attributes and services, and imagine that when two parties meet for the first time with a desire to transact,
they start from scratch to negotiate a set of attributes that confer mutual trust. In practice, it is rare for parties in business to start from such a low base. Instead, merchants assume that shoppers come with credit cards, patients assume that doctors
come with medical qualifications, and banks assume that customers have accounts. If you don't have the right credential for the transaction at hand, then you simply can't play (and you have to go back, out of band, and get yourself appropriately registered).
Perhaps the most distracting generalisation in the new identity ecosystem is that Service Providers, Identity Providers and Attribute Providers are all different entities. In reality, these roles are all fulfilled simultaneously and inseparably by banks,
governments, social networks and so on.
Most federated identity initiatives are undone by the legal complexity and loss of control when customer relationship silos are broken down. It seems obvious with 20:20 hindsight, yet federation projects can battle on for years before they hit the wall.
If we are to avoid wasting more time and energy, we urgently need a new set of simplifying assumptions, instead of complicating generalisations. Fresh thinking about digital identity won't only demystify the grand plans for federated identity, but
it will also help to improve more immediate challenges like electronic verification (EV) of identity, and bank account portability.
Assumption: There aren't many strangers in real life business
The idea of ‘stranger-to-stranger' transactions is implicit in open identity theory. Yet most e-business automates routine transactions between parties that have already signed up to an over-arching set of arrangements, like a credit card agreement or a
supplier contract. The first and foremost aim of most digital identities should be to faithfully represent existing real world credentials, allowing them to be exercised online without changing their meaning or their terms & conditions.
Assumption: Relying Party and "Identity Provider" are often the same
The central generalisation in open identity is that Identity Providers are separate from Service Providers. This may be true in the abstract, but it plays into the flawed intuition that the identity I have with one bank should be recognisable by another.
When you take an identity outside of its original context and try to make sense of it in other contexts, then you break the original Ts&Cs. Worse, you undercut any risk analysis that was done on the issuance process. If a bank doesn't know how its customers
are going to use their ids, how can it manage its risks?
Assumption: There are no surprise credentials
One of the leading new identity technologies claims it can "prove unanticipated ... identity assertions". That is, two strangers can supposedly use this solution to work out what they need to know about each other in real time before they transact. It's
really academic. The vast majority of identity assertions in mainstream business are not in fact "unanticipated" but instead are worked out in advance of designing and implementing the transaction system. When you go shopping, the merchant anticipates you
will present a credit card number. When you log onto the corporate network, the relevant identity assertion is anticipated to be your employee number. When a doctor signs a prescription, the relevant identity is their provider number.
In almost all cases, the transaction context pre-defines what identity will be relevant, and we arrange ahead of time for the parties to be equipped with the right credentials.
A great deal of effort has been wasted on federated models and open identity frameworks, catering for a utopia where parties have no prior arrangements, and haven't taken time to work out what credentials are needed to support a transaction. We don't do
routine transactions like this in the real world, and I can't see the point of designing radical new frameworks with untold liability implications to enable business to be done 'freestyle' online.
The urgent problems of identity theft and cyber fraud can be dealt with directly, by addressing the reliability of digital identity data. We don't need to change or extend the meaning of existing identities, nor the ways in which service providers deal
directly with their clients. The generalisations of the identity ecosystem models may be fascinating but they only complicate things. Effective action in cyber security demands simplification, and not academic abstraction.