Shostack + Friends Blog Archive

 

Identity is Hard, Let’s go Shopping.

superman.jpgKim Cameron, in the course of saying nice things about us (thanks, Kim!) says: “In my view, the identity problem is one of the hardest problems computer science has ever faced.” I think this is true, and I’d like to tackle why that is. I’m going to do that in a couple of blog posts, because I think the subject is broad and complex, and I’d like to offer some perspectives into that chaos.

I’ve been saying for a while that people like to pay for privacy, when they understand what the threat to their privacy is, and how the solution works. Thus, they buy curtains. Curtains work very well to enhance privacy by stopping passers-by from looking through your windows. Another part of that talk is that privacy means a lot of different things to people, ranging from ‘the right to be left alone’ to ‘informational self-determination’ to ‘abortion.’ I believe that identity displays very similar properties in how widely the term is used.

Identity is a problem because it means so many different things about who we are, and how we perceive ourselves, others, and our relationships with them. Identity also entails a set of business relationships, and the experiences and reliance that entities embed into those relationships. Finally, identity entails a set of government relationships, some of which are about citizenship, or various sorts of temporary presence or exclusion, or moneys flowing to or from the government. Sometimes, these relationships overlap in various ways.

This relates to Zooko’s “Decentralized, Secure, Human-Meaningful” [link to http://www.zooko.com/distnames.html no longer works] triangle. Zooko looks at the digital systems for dealing with identifiers, and the properties those identifiers can have. I want to start from the variety of relationships, and the way people think about the relationships, then move to identifiers. Replacing the actual relationship with a digital identifier often creates issues, because the two differ.

As we encode various forms of identity onto computers, we make choices about identifiers and representations. Some of these choices are now such second nature that actually listing the details them seems bizarre: “My mail client sends a message to alice@example.com”* vs “I send mail to mom.” We have internalized the idea that an email address is a good identifier for a person. We tend to internalize these representations fairly easily, even when its not a good idea. “123-45-6789 applied for this credit card,” that must be Alice Example.

I’ll talk more about the issues of assigning trust or reliance to identifiers, rather than people, in another post.

(* My mom is not named Alice, nor is her SSN the one listed. My mom is also not Midus Unknown, who posted, and may be, or be represented by, “1 Superman-1sm.”)

2 comments on "Identity is Hard, Let’s go Shopping."

  • sama says:

    Shostack,
    I am your mother…
    (sorry, it’s Friday, Star Wars day)

  • Fred Wamsley says:

    I see two big problems.
    One is that sloppy people conflate identification with authentication, authorization, or even proof of character. If your average IT application designer wrote the specs for a car you would have to swipe your driver’s license to start it.
    The other is that the whole idea of “identity” gets harder to grasp the more you study it. Greek philosophers wrestled with it for a long time. Even in everyday speech we’ll say things like “I just didn’t recognize him”, “That’s not the Alice I know”, or “He hasn’t been the same man since the brainwashing camp in Manchuria”. In fact he’s a different enough man that he shouldn’t have the security clearance his prior self had.

Comments are closed.