Wednesday, 28 January 2009 03:27

The Concepts of Identity and Trust in Modern Society

Identity is such a difficult concept to grasp, particularly for our political leaders. They seek the magic device that will unambiguously distinguish "terrorist" from "tourist" or "refugee" from "freeloader."  Unfortunately, what they're seeking is some measure of trust - "knowing their identity, can I trust the motives of this person?"

More importantly, in the business world for example, we generally don’t have the ability to drag an individual up to a security officer and insist they prove who they are – we need to have some suitable means to by-pass this 'physicality of identity.'

This means that the definition of the term 'identity' needs to be relaxed – I'll explain more about why this is in a moment, but first it needs to be made very clear that my ATM card is an identity, so is my login-name at work.

The general process of granting a person permission to perform some restricted task (let's say I wish to edit a document on the corporate LAN) involves three distinct (but loosely related) concepts: Identity, Authentication and Authorisation.

These three concepts are each linked to their own specific question:

Identity: Who are you?

Authentication: Can you prove it?

Authorisation: OK, what are you permitted to do?

To edit the corporate document, my identity is my login-name; my authentication is my password and my authorisation is either 'yes' I can edit or 'no' I cannot (amongst a range of other permissions, of course).

This process of Identity / Authentication relies on the user of the identity confirming their ability or permission to assert that identity. Nothing more, nothing less, and thus the 'strength' and 'value' of the transaction will therefore impose limits on how well-defined the identity should be.

Two important points arise here: Firstly, is my login-name me?  Of course not (but it is definitely an identity under my control).

Secondly, am I limited to a single identity (even within this office context)?  Definitely not.  In fact, if you think about it, many of us are encouraged to have more than one - for instance the LAN administrator will have identities for 'administrative' work and for 'normal' work.  This also suggests that identities may be shared or transferrable.

Identity management within a relatively closed environment is comparatively easy - a social club or an insurance office, for instance. We can (hopefully) confine ourselves to role-based identities and it's probably safe to assume that we're not dealing with terrorists, just hackers! The problem is that we assume the solutions that work here can be applied more widely.

Let's pause a minute and consider what identity is.  Or, more importantly, what it is not. Identity is not who we are. "Who we are" is an amalgam of a large number of discrete identities which may or may not overlap, which may or may not agree with each other (consider the policeman masquerading as a 13-year-old girl in a chat-room as an extreme example).

Most identities are defined in terms of the perceptions of others: for instance, we might buy the newspaper every morning at a kiosk before boarding the train to work.  After a few weeks, the vendor gets to know us by sight and says "hello" every morning. That is an identity; it is self-contained and complete within the bounds of the interaction. Similarly, our "family" identity is most strongly defined in terms of the perceptions of those around us. You might also consider the driver’s licence as a self-contained identity.

Interestingly, although both are valid descriptions of "you," there is minimal overlap between the kiosk "you" and the family "you," unless perhaps your spouse accompanies you to the city one day; and none at all between kiosk and drivers licence (apart from the photo on your licence).

The great thing about identity is that we have so many of them to choose from - not for any "nefarious" purpose, but we intentionally partition ourselves into multiple "people." The "David Heath" at work is quite distinct from the "David Heath" at home, for instance. At a simpler level, the identity we use when we visit some website that requires authentication has very little in common with anything truthful about us. But it is still an identity of ours.

From these examples, you can see that there are degrees of accountability, acceptability, reliance and strength in your varied identities.

To quote privacy researcher Roger Clarke: "Identity authentication is the process whereby a degree of confidence is established about the truth of an assertion by an entity that they have a particular identity, or are properly signified by a particular identifier." In other words, authentication is the process of binding an identity to an entity - hence ID-entity. Clearly, this is of minimal importance in our newspaper kiosk identity, but particularly crucial if we're standing in front of the immigration official attempting to enter Australia.

Interestingly, supposedly self-securing documents (such as a passport) have no concept of authentication – they step directly from Identity to Authorisation.

The link between who we are and our identity is tenuous at best; just about the only formalised "identity" we have is nothing more than a paper trail. Although credit databases are powerful tools, they are still not who we are.

Mind you, even an excellent paper trail can prove nothing - Timothy McVeigh, for example, was generally perceived as a fine, upstanding citizen. Also, the opposite - the absence of a paper trail - is no more (or less) useful. Knowing nothing about an identity is not the same as rejecting it.

Some identity documents, driver's licences for instance, are easy to fake (or acquire), yet are treated like gold. There were numerous reports in the media that at least two of the 9/11 terrorists held valid (although in false names) Virginia licences. What does that tell us about the reliability of identity documents?

There is a huge effort expended on designing and implementing a self-protecting identity token (driver's licence, passport etc) and far too little effort on the validity of the actual identity, or on checking the legitimacy of the token. I recall reading press reports in 2004 showing just how seriously the Australian government takes passport control - in the previous year, over 3000 people complained of errors in the passport they were issued - including one Caucasian woman who found the photo of an Asian man in hers.

It might also seem amusing that we regard the passport as the ultimate identity document, yet we're permitted to submit our application by mail.

What about biometrics, the catch-cry of the current decade? Biometrics is a very robust tool particularly in the case of fingerprint and iris recognition. Biometrics, however, won't identify anyone (despite the strident cries of the privacy police); it merely allows a strong link between a person and a previously established identity. Previously working in the biometrics field, I was quoted  in a technical publication by the Royal Canadian Mounted Police (IT Security Report R2-001): "A biometric does nothing more than re-establish the connection between the person and the established identity. If the established identity is weak, so are all subsequent verifications."

Given a strongly verified identity, biometrics is the only robust method available to authenticate that identity to the claimed owner. Biometrics gives us authoritative identity determination, it's the only technique that can.

So, despite all the "extras," nothing changes. An identity cannot be strengthened by wrapping processes around it, even if those processes are very strong.

As mentioned at the beginning, it's not identity management we're having trouble with - it's trust management. We can create and manage as many identities as we want, but can we trust them? All of them? Some of them? None of them?  Try getting a newspaper from the kiosk guy when you have no money.  I’ll bet you could do it once, but not the second day!

Stephen Covey, in his book "Principle Centred Leadership" tells us that the map is not the territory. He is referring, of course, to the difference between our representation of something (the map) and the truth of the same thing (the territory). In exactly the same way, an identity is not a person. Identity is a map of the trust landscape, it is not equivalent to trust. We must find a way to trust the person, not the identity.

So, drawing this back to the original theme, if we can sideline issues of trust and focus on identity, excellent solutions, both technical and procedural, are available.

Consider the range of single sign-on, biometric authentication and token suppliers, not to mention the plethora of directories and other identity management systems. Over and above simple identity management, my earlier examples of the social club or insurance office don't need a lot of explicit trust management. Implied trust and post facto remedies will deal with most situations.

Governments look at these solutions with a mixture of envy and total misunderstanding of the differences involved. If trust is established, identity is easy; unfortunately the reverse does not follow. It's easy to get caught up in the hype of identity so as to completely lose sight of the fact that you were really trying to manage trust. Not only are you no better off, but your fascination with identity will probably leave you worse off.

To close, I'll offer you a pop-quiz. Would you rather be managing identity in an insurance office or trust at the immigration desk at Sydney airport?

I'll leave you to contemplate your own answer.

Subscribe to ITWIRE UPDATE Newsletter here

Active Vs. Passive DWDM Solutions

An active approach to your growing optical transport network & connectivity needs.

Building dark fibre network infrastructure using WDM technology used to be considered a complex challenge that only carriers have the means to implement.

This has led many enterprises to build passive networks, which are inferior in quality and ultimately limit their future growth.

Why are passive solutions considered inferior? And what makes active solutions great?

Read more about these two solutions, and how PacketLight fits into all this.


WEBINAR INVITE 8th & 10th September: 5G Performing At The Edge

Don't miss the only 5G and edge performance-focused event in the industry!

Edge computing will play a critical part within digital transformation initiatives across every industry sector. It promises operational speed and efficiency, improved customer service, and reduced operational costs.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

But these technologies will only reach their full potential with assured delivery and performance – with a trust model in place.

With this in mind, we are pleased to announce a two-part digital event, sponsored by Accedian, on the 8th & 10th of September titled 5G: Performing at the Edge.


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News