Upload File

the laws of identity

prev
next
out of 11
Download The Laws of Identity

Upload: peter-newton

Post on 05-Apr-2018

217 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • 7/31/2019 The Laws of Identity

    1/11

    The Law s of Ident i ty

    The Intern et was bui l t w i thout a w ay to know w ho and w hat you are connect ing to . This l imw hat w e can do w ith i t and exposes us to grow ing dangers . I f w e do nothing, w e wil l face rapidpr ol i ferat ing episodes of thef t and d ecept ion w hich w il l cumulat ively erode publ ic t rust in t

    In te rne t .This paper is about how w e can pr event that loss of t r ust and go forw ard to give Internet users deep sense of safety, pri vacy and cert ainty about w ho they are r elati ng to in cyber space. Nothi ncould be m ore essent ial if new W eb-based services and appli cation s ar e to conti nue to m ovebeyond cyber p ublication and encompass all ki nd s of int eraction and services. Our appr oach habeen t o develop a form al under standing of the dy nami cs causing digital id entit y system s to succeeor fail in variou s cont exts, expressed as the Law s of Identity . Taken together, these law s define unifyin g ident i ty m etasystem t hat can offer th e Internet t he ident i ty layer i t so obviously r equires

    Problem StatementThe Internet w as bui l t w i thout a way to know w ho and w hat you are connect ing to .

    A patchw ork of ident i tySince this essent ial capabili t y i s missing, every one offerin g an Int ernet ser vice has had to come uw ith a w ork around . It i s fair to say that tod ays Intern et, absent a native identit y layer , is based onpatchwor k of id ent i ty one-offs.As peoples use of the w eb broadens, so does their exposur e to these w or kar ound s. Thou gh no oneis to blame, th e result i s per nicious. Hun dr eds of mi ll ions of people have been tr ained to accepanything any si te w ants to thr ow at them as being the nor mal w ay to conduct business onl inThey have been taught t o type their names, secret passw ord s and personal identifyi ng inform atiointo a lmost any inp ut form that appears on t heir screen.There is no consistent and comp rehensible f ramew ork al low ing t hem t o evaluate the authent ic i tof the sites they visit , and they don t have a reliable w ay of know ing w hen they are disclosinpr ivate inform at ion to i l legi t im ate par t ies. At the same t ime they lack a framew ork for control lor even rem emberi ng the many d ifferent aspects of their di gital existence.

    Crim inal izat ion of the Inter netPeople have begun to use the Int ernet t o m anage and exchange things of pr ogressively greater r eal-w orld v alue. This has not gone unnoti ced by a crim inal fri nge w hich under stand s the ad hoc anvulnerable nature of the ident i ty patchw ork and how to subvert i t . These cr im inal forces havincr easingly pr ofessionalized and or ganized them selves int ernati onally.Individ ual consumers are t r icked i nto r e leasing banki ng and other in form at ion thr ough Phishinschemes w hich take advant age of their inabili ty to t ell w ho they are dealing w ith . They are alinduced to inadvertent ly ins ta l l spyware which res ides on their computers and harvest

    infor m ation in long term Phar m ing attacks. Other schem es successfully target cor por atgovernment and educational databases with vast identity holdings, and succeed in stealinghun dr eds of thousands of identit ies in a single blow . Cri m inal organizations exist to acquir e theidentit ies and resell them to a new breed of innovators expert in using them to steal as much aspossible in t he shor test possible t i m e. The inter nation al character of t hese netw ork s makes themincr easingly difficult to penetr ate and dismant le.

  • 7/31/2019 The Laws of Identity

    2/11

  • 7/31/2019 The Laws of Identity

    3/11

    Consumer fears about the safety of the Internet prevent many from using credit cards to makeonlin e pur chases. Incr easingly, m alw are and i dentit y theft have made pr ivacy issues of paramou nconcer n to every In tern et user . This has resulted in i ncreased aw areness and r eadin ess to r espon dto larger p r ivacy issues.As the vir tual w orld has evolv ed, pr ivacy specialists have developed nuanced and w ell-reasone

    analyses of identit y from the point of view of the consumer and cit izen. In r esponse to theint erventi on, legal thin kers, governm ent p olicy m akers, and elected r epresent atives have becomincr easingly aw are of the many diffi cult pr ivacy issues facing society as w e sett le cyberspace. Thhas already led to vendor sensiti vity and govern m ent int ervent ion, and m ore is to be expected.In summary, as grave as the dangers of the current situation may be, the emergence of a singlesimp listic digital identit y solution as a universal panacea is not r ealistic.Even i f some m ir acle occurr ed and t he var i ous players could w ork out some kin d of br oad crossector agreem ent about w hat constit utes perfection in on e countr y, the pr obabili ty of extendinthat un iversal ly acr oss internat ional bord ers w ould be zero.

    An iden t i ty m etasystemIn the case of digital identity, the diverse needs of many players demand that we weave a singleident ity fabr ic out of m ulti ple constit uent technologies. Alth ough thi s m ight ini t ially sedaunt ing, simi lar th ings have been done m any ti m es before as com put ing has evolved.For i nstance, in t he early d ays of personal comput ing, application b uild ers had to be aw are of w htyp e of video display w as in use, and of th e specific characteristics of the storage devices that w erinstalled. Over t im e, a layer of softw are em erged that w as able to pr ovid e a set of ser viceabstr acted fr om t he specificit ies of any given hard w are. The technology of device dr iver s enablint erchangeable hard w are to be plugged in as r equir ed. H ardw are becam e loosely coupled t o thcomp uter a l lowi ng i t t o evolve quickly since appl icat ions did n ot need to be r ew ri t ten to taadvantage of new featur es.The same can be said about t he evolut ion of netw ork ing. At one tim e applications had to be aw arof the specific netw ork devices in use. Event ually the uni fyin g technologies of sockets and TCP/emerged, able to w ork w it h m any specific underlyi ng system s (Tok en Ring, Ethernet, X.25 anFram e Relay) and even w ith systems, l ik e w ir eless, that w ere not yet in vented.Digital identit y requir es a simi lar app roach. W e need a uni fyin g identi ty m etasystem that caprotect applications from the internal complexities of specific implementations and allow digiident ity to b ecom e loosely coupled. This m etasystem i s in effect a system of system s that exposes uni fied inter face m uch like a device dr iver or n etw or k socket does. That allow s one-offs to evoltowards s tandardized technologies that work within a metasystem framework without requir inthe w hole w orld t o agree a pr ior i .

    Und erstan ding the obstaclesTo r esta te our ini t ia l pr oblem, the role of an i dent i ty m etasystem is to pr ovide a re l iable w ay

    establ ish w ho is connect ing w ith w hat anyw here on the Intern et .We have observed that various types of systems have successfully provided identification ispecific cont exts. Yet despit e th eir success th ey have failed t o att r act usage in ot her scenar iosW hat factor s explain t hese successes and failur es? M oreover, w hat w ould be t he characteri stics oa solution t hat w ould w ork at intern et scale? In answ ering these questions, ther e is much to blear nt from the successes and failures of vari ous appr oaches since the 19 70s.This inv estigation has led to a set of ideas called th e Law s of Identi ty . W e chose the w ord lawin t he scientific sense of hypot heses about the w or ld resultin g from obser vation w hich can b

  • 7/31/2019 The Laws of Identity

    4/11

    tested and ar e thu s dispr ovable. The reader should bear in m ind th at w e specifically did not w anto denote legal or m oral pr ecepts , nor embark on a discussion of t he phi losophy of ident i ty .These law s enum erate the set of objective dy nami cs definin g a digit al identit y m etasystem capablof being w idely enough accept ed that i t can serve as a backp lane for d istr ibut ed com put ing on aInt ernet scale. As such, each law ends up givin g ri se to an architectur al pri nciple guiding th

    constructi on of such a system.Our goals are pr agm atic. W hen w e postulate the Law of User Control and Consent, for exam ple, i t because experi ence tells us: a system t hat does not p ut u sers in contr ol w ill im m ediately or ovetim e - be rejected by enough of them th at i t cann ot becom e and r emain a uni fyin g technology. Howthi s law m eshes w ith values is not t he relevant i ssue.Like the other law s, th is one represents a contour l im it ing w hat an ident i ty m etasystem must lool ike - and must n ot look l ike - g iven t he many social form at ions and cul tur es in w hich i t m ust able to operate. Und erstanding the laws can help elimin ate a lot of doom ed pr oposals before ww aste too much t ime on them.The law s are testable. They allow us to pr edict outcomes and w e have done so consistently sincpr oposing them . They ar e also objective, i .e. they existed and operated before they w erefor m ulated . Th at is how th e Law of Justi fiable Part ies, for examp le, can accoun t for t he successeand failur es of Mi crosofts Passpor t id entity system .The Law s of Identit y, taken together, define the ar chitectur e of the Inter nets mi ssing identit y laye

    W ords that a l low dialogueM any people have thou ght about identi ty, digit al ident it ies, personas and repr esentations. Inpr oposing the law s w e do not expect to close thi s discussion. How ever, in keeping wi th thpr agm atic goals of thi s exercise w e define a vocabular y that w ill allow the law s themselves to bunders tood.

    W hat is a digi ta l ident i ty?W e w ill begin by definin g a digit al identit y as a set of claim s made by one digit al subject about i t sor anoth er digit al subject. W e ask the reader to let us define w hat w e m ean by a digital subject ana set of claims before exam ini ng thi s fur ther .

    W hat is a digital subject?The Oxfor d English Dictionar y (OED) defines a subject t his w ay:"a person or thi ng that is being discussed, described or dealt w ith ."So w e define a digit al subject as:a person or thing represented or existing in the digital realm which is being described or deaw i t h " .Much of the decis ion-making involved in d is t r ibuted comput ing is the resul t of "d eal ing w ithini t i a tor or requester. And i t i s w ort h point ing out that the digi ta l w orld includes many subje

    w hich need t o be "deal t w i th" other than hum ans, including: devices/ comp uters (w hich allow us to penetr a te the digi ta l realm in the f i rs t p lace) digi ta l resources (w hich at t ract us to i t ) policies and r elation ships betw een other digit al subjects (e.g. betw een hum ans and devicesor d ocuments or services).The OED goes on to define subject, in a philosophical sense, as the "central substance or core of athi ng as opposed to i t s att rib utes". As w e shall see, "attr ibut es" are the thi ngs expr essed in claim sand t he subject is th e centr al substance thereby descr ibed.

  • 7/31/2019 The Laws of Identity

    5/11

    W hat is a c la im ?A claim is:"an asser t ion of the t r uth of something, typical ly one w hich is disputed or in d oubt" .Some exam ples of claim s in the digital realm w ill l ik ely help:

    A claim could just convey an identi fier - for exam ple, that the subjects student num ber 490-525, or th at the subjects W indow s name is REDMOND\ kcam eron. This is the w ay manexis t ing ident i ty systems w ork . Anot her claim might assert that a subject kn ow s a given key and should be able todemon strate this fact. A set of claim s m ight convey personally ident ifying infor m ation name, addr ess, date bir th and cit izenship, for example. A claim might simp ly pr opose that a subject is part of a cert ain group for exam ple, th at shhas an age less th an 16 . And a claim might state that a subject has a cer tain capabili t y for exam ple to place ord erup t o a cer t a in l imi t , or m odify a given f i le .The concept of being in doubt " grasps the subt let ies of a dis t r ibut ed w orld l ike the Intern eClaims need to be subject to evaluation by th e part y depending on them. The mor e our n etw orkare federated and open to p arti cipation by m any different subjects, the mor e obvious this becom esThe use of the w ord claim is therefore m ore appr opria te in a dis t r ibu ted and federatedenvir onm ent than altern ate w ord s such as asserti on, w hich m eans a confident and for cefustatement of fact or belief" . In evolvin g from a closed dom ain mod el to an open, feder ated modthe si tuat ion is t r ansform ed into one w here the par t y m aking an asser t ion and th e par t y evaluat init m ay have a comp lex and even ambi valent r elation ship. In t his cont ext, assert ions need alw ays bsubject to d oubt - not only doubt that they have been t r ansmit ted f rom the sender t o the r ecipienint act, but also doubt t hat they are tr ue, and doub t th at they are even of r elevance to the recipient.

    Advan tages of a claims-based definit ionThe def ini t ion of digi ta l ident i ty employed here encompasses a l l the know n d igi tal id ent i ty systeand therefore al low s us to begin to un ify the r a t ional e lem ents of our patchwor k conceptual ly. a llow s us to def ine digi ta l ident i ty for a metasystem embracing mult ip le implementat ions and w aof doing thin gs.In p roffer ing this definit ion , w e r ecognize i t does not j i ve w ith some w idely held beliefs exam ple that w ith in a given context, identit ies have to be unique. M any early systems w ere buiw ith t his assum pti on, and it is a crit ically useful assump ti on in m any cont exts. T he only err or isthin king i t i s mandatory for a l l contexts .By w ay of exampl e, consider the relation ship betw een a com pany lik e Microsoft and an analyser vice that w e w ill call Cont oso Analyti cs. Let 's suppose M icrosoft contracts w it h ContoAnalyti cs so anyone from M icrosoft can r ead it s rep ort s on ind ustr y tr ends. L et 's suppose also tha

    Mi crosof t doesn ' t w ant Contoso Analyt ics to kn ow exact ly w ho at M icrosof t has w hat int erestsreads w hat reports .In t his scenar io w e actual ly do n ot w ant to employ unique ind ividual ident i f iers as digi ta l ident i tCont oso Analyti cs sti l l needs a w ay to ensur e that on ly valid customers get to i t s r eport s. But i n thexample, digi ta l ident i ty w ould best be expressed b y a very l im ited c laim - the c laim that t he digisubject curr ently accessing the site is som e Microsoft emp loyee. Our claim s-based appr oachsucceeds in t his regard . It perm its one digit al subject (M icrosoft Corp orati on) to asser t thin gabout another d igi ta l subject w i thout using any u nique ident i f ier.

  • 7/31/2019 The Laws of Identity

    6/11

    This definit ion of digit al identit y calls upon us to separate cleanly the pr esentation of claims frothe provabi l i ty of the l ink t o a real w orld object .Our definit ion leaves the evaluation of the usefulness (or the tr uthful ness or t he tru st-w ort hin esof the claim t o the relying part y. The tr uth and possible l in kage is not in th e claim , but r esults frothe evaluation. If the evaluatin g party d ecides i t should accept the claim being made, then th i

    decision just r epresents a furth er claim about the subject, thi s t im e made by the evaluating part y (may or m ay not be conveyed fur ther) .Evaluation of a digital identit y thus r esults in a sim ple tr ansfor m of w hat i t starts w it h agapr oducing in a set of claims made by one digit al subject about another . M atters of tr ust , attr ibut ioand usefulness can then be factored out and addressed at a higher layer in the system than them echanism for expr essing digital identit y i tself .

    The Law s of Ident i tyW e can n ow look at t he seven essential law s that explain t he successes and failur es of digitaidentity systems.

    1 User Cont rol an d ConsentTechni cal ident ity systems must only r eveal infor m ation id entifyin g a user w ith t he user s conse(Bl ogospher e discussion star ts her e...)No one is as pivotal to the success of the identity metasystem as the individual who uses i t . Thsystem m ust first of all app eal by m eans of convenience and simp licity. But to endur e, i t m ust earthe user s tru st above all .Earn ing this t r ust requires a hol ist ic comm itm ent . The system m ust be designed to put the user icontr ol - of w hat digit al identit i es are used, and w hat infor m ation is released.The system m ust also pr otect the user against decepti on, veri fying the identi ty of any part ies w hask for inform at ion. Should the user d ecide to supply ident i ty in form at ion, there must be no douthat i t goes to th e r ight place. And the system n eeds mechanism s to make the user aw are of thepur poses for w hich any inform at ion is being col lected.The system must inform the user when he or she has selected an identity provider able to trackintern et behavior.Further, i t must reinforce the sense that the user is in control regardless of context, rather thanarbi t r ar i ly a l ter i ng i ts contr act w i th t he user. This m eans being able to support user consent ienterp ri se as w ell as consum er envir onm ents. I t is essential to r etain the paradigm of consent evenw hen refusal might br eak a comp anys condi t ions of emp loyment . This serves both to in form temployee and indem nify the employer.The Law of User Cont r ol and Consent allow s for t he use of mechanisms w hereby th e m etasystemremembers user decisions, and users may opt to have them applied automatically on subsequentoccasions.

    2 M inim al Disclosure for a Constra ined UseThe solut ion w hich discloses the least amount of id ent i fying inform at ion and best l imi ts i t s usethe m ost stable long ter m solution. (Start s here...)W e should build systems that employ i denti fying infor m ation on the basis that a br each is alw apossible. Such a br each repr esents a ri sk. To m iti gate risk, i t i s best to acquir e inform ation only oa need to know basis, and to retain i t on ly on a need to retain b asis. By follow ing thepr acti ces, w e can ensur e the least possible dam age in t he event o f a br each.

  • 7/31/2019 The Laws of Identity

    7/11

    At th e sam e tim e, the value of identify ing infor mation d ecreases as the am ount d ecreases. Asystem bui l t w i th t he pr in ciples of inform at ion mi nim alism is therefore a less a t t ract ive target ident i ty thef t , reducing r isk even fur ther.By limiting use to an explicit scenario (in conjunction with the use policy described in the lawcontr ol) , the effect iveness of the need t o know p r in ciple in r educing r isk is fur th er m agnif i

    There is no longer the possibili ty of collecting and keeping information just in case i t might oday be required.The concept of least identi fying infor m ation should b e taken as m eanin g not only t he few enumber of c la ims, but the informat ion least l ikely to ident i fy a given individual across mult icontexts. For example, if a scenario r equir es pr oof of being a certain age, then it is bett er to acquirand store the age category r ather than th e bir th d ate. Date of bir th is m ore l ikely, in associati ow ith other c laim s, to un iquely ident i fy a subject , and so repr esents mor e ident i fying inform at iw hich should be avoid ed if i t is not needed.In t he same w ay, uni que identi fiers that can be reused in ot her contexts (for exampl e dr iversl icense numbers , social secur i ty num bers and the l ike) r epresent m ore ident i fying in form at iothan un ique special-pur pose ident ifiers that do not cr oss context. In t his sense, acquir ing andstoring a social security number represents a much greater risk than assigning a randomlygenerated s tudent or employee num ber.Num erous ident i ty catast r ophes have occurr ed w here this law has been br oken.W e can also expr ess the Law of M inim al Disclosur e this w ay: aggregation of id entifyin g inform atalso aggregates r isk. To m ini m ize r isk, m ini m ize aggregation.

    3 Justifiable Par tiesDigi ta l ident i ty system s must be designed so the d isclosure of ident i fyin g inform at ion is l im itedpart ies havin g a necessar y and justifiable place in a given id entity relationship . (Start s here...)The ident i t y system m ust make i ts user awar e of the par ty or par t ies wi th w hom she is in teract inw hile shar i ng inform at ion.The just i f icat ion requirements apply both to the subject who is disclosing informat ion and threlying par ty w ho depends on i t . Our exper ience w ith M icrosof t s Passport is inst r uct ive in t hr egar d. In ter net user s saw Passpor t as a conv enient w ay to gain access to MSN sit es, and t hose sit esw ere happy using Passport to t he tune of over a bi l l ion in teract ions per day. How ever, i t d id nom ake sense to m ost non-M SN sites for M icrosoft to be inv olved in their custom er relation ships. Nw ere users clamor ing for a single Micr osoft identity service to be aw are of all their In ternacti vit ies. As a r esult , Passport failed in i ts mi ssion of being an identi ty system for the Int ernet.We w il l see many mor e examples of this law going forw ard. Today some governm ents are think inof operatin g digital identit y ser vices. I t m akes sense (and is clear ly justifi able) for people to ugovern m ent- issued ident i t ies when doing business wit h the govern ment . But i t w i l l be a cul turmatter whether, for example, cit izens agree i t is "necessary and justifiable" for governmenident it i es to be used in contr olling access to a fam ily w ik i or connectin g a consumer t o her hobb

    or v ice.The same issues wi l l confr ont in term ediar ies bui lding a t r ust fabr i c . The law is not in tended suggest l im ita t ions of w hat is possible , but ra ther to out l in e the dynamics of w hich w e must baware.We know from the law of control and consent that the system must be predictable and"tr anslucent" in or der to earn t r ust . But the user n eeds to unders tand w ho she is deal ing wit h foother r easons, as w e w il l see in law s ix (human in tegrat ion) . In t he physical w orld w e ar e able

  • 7/31/2019 The Laws of Identity

    8/11

    jud ge a si t uat ion an d d ecid e w hat w e w an t t o d i scl ose ab out our selves. Th is has i t s an al ogy indigit al justifi able part ies.Every par ty to disclosure m ust pr ovide the disclosing par t y w ith a pol icy s ta tem ent abouinfor m ation use. This policy should govern w hat happens to disclosed inform ation. One can viethi s policy as definin g "delegated r ights" issued by the disclosing p arty .

    Any use pol icy w ould a l low al l par t ies to cooperate w ith authori t i es in t he case of cr im ininv estigations. But th is does not m ean the state is part y to the identit y relationship . Of course, thshould be m ade expl ic i t in the pol icy under w hich inform at ion is shared.

    4 Di rected Iden t i tyA universal ident i ty system must support both omni-direct ional ident i f iers for use by pubentit ies and unidirectional identifiers for use by private entit ies, thus facil i tating discovery wpr eventi ng un necessar y release of corr elation hand les. (Start s her e...)Techni cal identi ty is alw ays asser ted w ith r espect to some other identi ty or set of identi t ies. Tmake an analogy w ith t he physical w orld , w e can say id ent i ty has direct ion, not jus t m agni tudOne special "set of ident it ies" is that of all other id entit ies (t he public). Other im por tant sets ex(for example, the ident i t ies in an enterpr ise , some arbi t rary dom ain, or i n a peer group) .Ent i t ies that are publ ic can have ident i f iers that are invar iant and w ell -know n. These publident ifiers can be thought of as beacons em itt ing ident ity t o anyon e w ho show s up. And beaconare "omni dir ect ional" ( t hey are w il l ing to r eveal their exis tence to the set of al l o ther ident i t ies) .A corpor ate w eb site w ith a w ell-know n URL and public key cer tifi cate is a good examp le of sucpub lic entit y. There is no advantage - in fact ther e is a great disadvant age - in changing a publiURL. It is f ine for every visit or to th e site to exam ine the pub lic key cert ificate. I t is equaaccept able for everyone to k now the site is there: i ts existence is publi c.A second exam ple of such a public enti ty is a publ icly visible device l ike a video pr ojector . Tdevice sits in a conference room in an enterpr ise. Visitor s to the conference room can see thepr ojector and it offer s digital services by advert ising itself to those w ho com e near i t . In ththin king out l in ed here, i t has an omni -direct ional ident i t y.On the other hand , a consum er visit ing a corp orate w eb site is able to use the identit y beacon of th asite to decide w hether she w ants to establish a r elation ship w ith i t . Her system can th en set up a"unid ir ect ional" ident i ty r e lat ion w ith t he si te by select ing an ident i f ier for use w ith t hat si te andother. A unid ir ect ional ident i ty r e la t ion w ith a different s ite w ould involve fabr i cat ing a comp leunr elated id entifier . Because of this, ther e is no corr elation handle em itt ed that can be sharedbetw een sit es to assemble pr ofile activ it i es and pr eferences int o super-dossiers.W hen a compu ter user enters a conference room equipp ed w ith t he projector descr ibed above, i tsomn i-dir ect ional ident i ty beacon could be ut i l ized to d ecide (as per the law of control) w hether sw ants to interact w ith i t . If she does, a short -l ived unidi r ection al identi ty relation could establ ished betw een t he comp uter and the pr ojector - p rovid ing a secure connect ion w hiledivulging the least possible ident i fying inform at ion in accord ance w ith t he law of mi nim

    disclosure.Bluetooth and other w ir eless technologies have not so far confor m ed to the four th law . They uspub lic beacons for pr ivate entit i es. This explains the consum er backlash in novator s in these areaare cur ren t ly w rest l ing w i th .Public key cert ificates have the sam e pr oblem w hen used to identi fy indi vidu als in contexts wh epr ivacy is an issue. It m ay be mor e than coincidental that certi ficates have so far been w idely usew hen in conform ance w ith t his law ( i .e . in i dent i fying publ ic w eb si tes) and general ly ignored w hit comes to ident i fying pr ivate individuals.

  • 7/31/2019 The Laws of Identity

    9/11

    Anot her exam ple involv es the pr oposed usage of RFID technology in passpor ts and student t r acki napplications. RFID devices curr ently em it an omni -dir ection al publ ic beacon. This is nappropr ia te for use by pr ivate individuals.Passpor t r eaders are public devices and t herefore should employ an omn i-dir ecti onal beacon. Bupasspor ts should on ly respond to tr usted readers. They should not be em it tin g signals to any

    eavesdr opper w hich identify their bearers and peg them as nation als of a given count r y. Exam plehave been given of unm anned devices w hich could be detonated by th ese beacons. In Califor nia ware already seeing the first legislative measures being taken to correct abuse of identitydir ection ality. I t show s a failure of vision am ong technologists that legislator s under stand theissues befor e w e do.

    5 Plural ism of Operator s and T echnologies:A universal ident i ty system must channel and enable the interworking of mult iple ident itechnologies ru n by m ult iple identi ty pr ovider s. ( Start s here...)I t w ould be nice i f there w ere one w ay to express ident i ty. But the num erous contexts in w hicident i ty is requir ed wont a l low i t .One reason there will never be a single, centralized monolithic system (the opposite of am etasystem) is because the characteristics that w ould m ake any system i deal in on e context w ildisqual i fy i t in another.I t makes sense to employ a govern ment issued digi ta l ident i ty w hen interact ing w ith governm eservices (a single overall identity neither implies nor prevents correlation of identifiers betweindivi dual govern m ent depar tm ents) .But in many cultur es, employers and employees w ould not feel comfor table using govern menident i f iers to log in a t w ork. A govern ment id ent i f ier mi ght be used to convey taxat ion in form at ii t m ight even be requir ed w hen a person is f i rs t offered employm ent . But the context oemployment is suff ic ient ly autonomous that i t warrants i ts own ident i ty, f ree f rom daiobser vation via a governm ent-r un technology.Customers and individ uals brow sing the w eb meanw hile w il l in many cases w ant higher levels pr ivacy than is l ikely to be pr ovided by any emp loyer.So when i t comes to digi ta l ident i ty, i t i s not only a mat ter of having ident i ty providers run different parties (including individuals themselves), but of having identity systems that offdifferent (and potent ia l ly contr adictory ) features.A uni versal system m ust embr ace differentiation , w hile recognizin g that each of us isimu ltaneously - in differ ent cont exts - a cit i zen, an emp loyee, a custom er, a vir tual p ersona.This demonstrates, from yet another angle, that different identity systems must exist in am etasystem. It im plies w e need a sim ple encapsulating pr otocol (a w ay of agreeing on andtr ansporti ng things). W e also need a w ay to surface infor m ation thr ough a uni fied user experiencthat allow s ind ivid uals and organization s to select appr opr iate identi ty pr ovider s and featur es athey go about t heir daily activi t ies.

    The universal ident i ty m etasystem mu st not be another m onol i th . I t m ust be polycentr i( federat ion im plies this) and also polymor phic (exist ing in different form s) . This w il l a l low ident ity ecology to emerge, evolve and self-organize.Systems lik e RSS and H TM L are pow erful because they vehicle any content. W e need t o see thaidentity i tself will have several - perhaps many - contents, and yet can be expressed in ametasystem.

    6 Hum an In tegra t ion :

  • 7/31/2019 The Laws of Identity

    10/11

    The universal ident i ty metasystem must def ine the human user to be a component of thedis t r ibut ed system integrated thr ough unambiguous human-machine comm unicat ion mechanismoffer in g pr otection against ident ity att acks. (Star ts her e...)W e have done a pr etty good job of secur ing the chann el betw een w eb servers and br ow ser sthr ough the use of crypt ography a chann el that m ight extend for t housands of m iles. But w e hav

    failed to adequately prot ect th e tw o or thr ee foot channel betw een th e brow ser s display and thbr ain of the hum an w ho uses i t . Thi s im m easurably short er chann el is the one under attack fromphishers and p harmers .No w ond er. W hat identi t ies is the user dealing w ith as she navigates the w eb? Howund erstandably is identi ty infor m ation conveyed to her ? Do our digital identity system s int erfaw ith users in w ays that object ive studies have show n to w ork ? Ident i ty inform at ion current ly takthe form of cer tifi cates. D o studies show cert ificates are meaningful t o users?Wh at exact ly are w e doing? Wh atever i t i s , w eve got to d o i t bet ter : the ident i ty system muextend to and integrate the hum an user.Carl Ellison and his colleagues have coined the ter m ceremon y to d escribe in teractions t hat spanmi xed netw ork of human and cybern et ic system comp onents the ful l channel f rom w eb server thum an brain . A cerem ony goes beyond cyber pr otocols to ensure the integr i ty of comm unicat iow ith the user.This concept calls for profoundly changing the user s experience so i t becomes predictable anunambiguous enough to a l low for in form ed decis ions.Since the identi ty system has to w ork on all platfor m s, i t m ust be safe on all platfor m s. Thpr opert ies that lead to i ts safety can't be based on obscur ity or the fact that the und erlyin gplatform or sof tw are is unkn ow n or has a smal l adopt ion.One exam ple is United Air lines Channel 9. I t carr ies a l ive conver sation betw een th e cockp it ones plane and air t r affic contr ol. The conversation on t his channel is very i mp ort ant, technicand focused. Par t ic ipants don ' t chat - a l l par t ies know pr ecisely w hat to expect f rom the towand t he air plane. As a result , even though t here is a lot of r adio noise and static, i t i s easy for thpi lot and contr ol ler to pi ck out the exact content of the comm unicat ion. W hen things go w rong, tbroken predictabi l i ty of the channel marks the urgency of the s i tuat ion and draws upon everhum an faculty to und erstand and respon d to the danger . T he limi ted sem ioti cs of the channel meathere is very high re l iabi l i ty in comm unicat ions .We r equire the same k ind of bounded and highly pr edictable cerem ony for the exchange of ident i tinform at ion. A ceremon y is not a w hatever feels good sor t of th ing. I t i s predeterm ined.But isnt thi s l im itation of possibili t i es at odds w ith our id eas about comp utin g? Havent maadvances in comp uting come about thr ough ambigui ty and unint ended consequences w hich w oulbe ruled out in t he austere l ight of cerem ony?These are valid questions. But w e defini tely dont w ant unint ended consequences w hen figurinout w ho w e are ta lking to or w hat personal ident i f icat ion inform at ion to reveal .The quest ion is how to achieve very high levels of re l iabi l i ty in the comm unicat ion betw een t

    system and it s human users. In large part , thi s can be m easured objectively th r ough user t estin g.

    7 Consistent Experien ce Across Cont extsThe uni fyin g identity m etasystem m ust guar antee i ts users a simp le, consistent experi ence w hilenabling separation of contexts thr ough mu lti ple operator s and t echnologies.Let 's pr oject our selves int o a futu re w here w e have a num ber of contextual identit y choices. Foexample: brow sing: a sel f -asser ted ident i ty for explor in g the w eb (giving away no real data)

  • 7/31/2019 The Laws of Identity

    11/11

    personal : a sel f -asser ted ident i ty for s i tes w ith w hich I w ant an ongoing but pr ivatre lat ionship ( including my name and a long term email addr ess) comm unity : a publ ic ident i ty for col laborat ing w ith others pr ofessional: a publi c ident ity for collabor ating issued by m y employ er credi t card : an ident i ty issued by my f inancial ins t i tu t ion

    c i t izen: an ident i ty issued by my govern mentW e can expect that different indi vidu als w ill have different combi nation s of these digital ident itas w ell as others.To m ake thi s possible, w e m ust thi ngify digit al identi t ies m ake them i nt o thin gs the user see on t he deskt op, add and delete, select and share. How usable w ould t odays comp uter s be hadw e not in vented icons and lists that consistently repr esent folders and documents? W e must do thsam e w ith digi ta l ident i t ies.W hat typ e of digit al identity is acceptable in a given context? The pr opert ies of potent ial candid atw il l be specif ied by the w eb service f rom w hich a user w ants to obtain a service. Matchinthi ngified digital ident it ies can then be displayed to t he user, w ho can select betw een th em and usthem to und ers tand w hat informat ion is being requested. This al low s the user t o contr ol w hat released.Different r e lying par t ies w il l requir e different digi ta l ident i t ies. Tw o things are c lear : A s ingle re lying par ty w il l of ten w ant to accept mor e than one kin d of ident i ty; and A user w il l w ant to unders tand his opt ions and select the best ident i ty in contextPutti ng all the law s together , w e can see that t he request, selection, and pr offering of id entitinfor m ation m ust be don e such that th e chann el betw een th e part ies is safe. The user experi encemust also prevent ambiguity in the user s consent, and understanding of the parties involved andtheir pr oposed u ses. These option s need t o be consistent and clear. Consistency across contexts isrequir ed for t his to be done in a w ay that comm unicates unambi guously w ith t he human systemcomponents .As user s, w e need to see our variou s identit ies as part of an integrated w orld w hich none th e lesr espects our n eed for i nd ependent cont exts.

    ConclusionThose of us w ho w ork on or w ith id ent i ty systems need to obey the Laws of Ident i t y. Otherw ise, wcreate a w ake of reinfor cing side-effects that eventually und erm ine all r esulti ng technology. Thresul t i s s imilar to what would happen i f c ivi l engineers were to f lout the law of gravi ty. Bfol low ing them w e can bui ld a uni fying ident i t y m etasystem t hat is universal ly accepted anendur ing


How Could Sexual Orientation & Gender Identity (SOGI) Laws Affect You?thf_media.s3.amazonaws.com/2019/2019_01_0003_SOGIOne-Pager_… · How Could Sexual Orientation and Gender Identity

The Personal is Political: Gender Identity in the Personal Status … · 2019-12-12 · The Personal is Political: Gender Identity in the Personal Status Laws of the Gulf Arab States

r.lrQ]( - Foster Global · CRIMINAL COMPLAINT ... affidavit, and other document required by the immigration laws and ... identity theft, money laundering,

Laws of Boolean Algebra Commutative Laws of Boolean

The Holocaust. Nuremberg Laws 1935 Nuremburg Laws strip Jews of civil rights –Jewish race is defined through ancestry, not self-identity or religious

The Christian response to postmodernism. truth the laws of logic and objectivity law of identity A=A Bill Craig is Bill Craig law of non-contradiction

Concerning the Laws of Contradiction and Excluded Middle · Concerning the Laws of Contradiction and ... The law of identity is empty and meaningless, ... Concerning the Laws of Contradiction

River Bend HOA - Home · 2020. 1. 6. · EXHIBIT "C" BY-LAWS RIVER OF HILLSBOROUGH COUNTY HOMEOWNERS ASSOCIATION, -nC. ARTICLE 1 IDENTITY AND LOCATION These are the By-Laws of BEND

Do Data Breach Disclosure Sasha Romanosky Laws Reduce ...acquisti/papers/RomanoskyTelangAcqu… · risk of identity theft or other related harm, affected consumers should be notified

LAWS OF MALAYSIA - AGC...“company” means a body corporate and includes any body of persons established with a separate legal identity by or under the laws of a place outside Malaysia;

The President’s IdentIty theft - Federal Trade Commission...victims, such as state identity theft “passport” programs, state credit freeze laws, and rights granted under the

Self-sovereign Identity - Jolocom - Decentralized identity ...€¦ · 2. Digital Identity 7 The central role of identity 7 A universal identity layer 8 Self-sovereign Identity 9

PDF Enforcement of Identity Theft Laws – Cippiccippic.ca/sites/default/files/LawEnforcement.pdf · ENFORCEMENT OF IDENTITY THEFT LAWS July, ... are part of a broader ORNEC research

Coefficients of Identity and Coancestryfaculty.washington.edu/.../Lecture7_Coefficients_of_Identity_and_Coancestry.pdfCoe cients of Identity and Coancestry Identity States I The IBD

Generational Identity in the Workplace Motivating, Rewarding and Recognizing Employees November 25, 2008 Dr. Judy Laws Graybridge Malkam

NORTH CAROLINA UNIFORM REAL PROPERTY ELECTRONIC …€¦ · North Carolina’s Real Estate Recording Laws: The Ghost of 1885 ... receiving parties are assured of each other’s identity,

Backstage Tour of Identity - London Identity Summit

Claims-Based Identity Layer for the New Internet · “The Laws of Identity ” technologically -necessary principles of identity management 1. User control and consent 2. Minimal

THE CORPORATE IMAGE OF POSIVA · THE CORPORATE IMAGE OF POSIVA ... triumvirate of concepts underpinning business identity (corporate identity, organisational identity and visual identity),

SEC835 Identity and Access Management Overview. Tasks of IAM Specify the rules of electronic identity Maintain identity Validate identity Define access

MEDIA LAWS OF INDIA - caaa.incaaa.in/Image/media_laws.pdf · History of Media Laws in India 4. Media laws of India – an overview 5. Laws applicable for Information 6. Laws applicable

Has the identity of the English Common Law been …1 Has the identity of the English Common Law been eroded by EU Laws and the European Convention On Human Rights?1 Faculty of Law,

Bachelor of Laws Program in Laws LL B. (Laws 3

Smart Factories, Dumb Policy?... · have laws expressly prohibiting use of spyware. Other state laws against deceptive practices, identity theft, or computer crimes in general may

Generational Identity in the Workplace Communication and Managing Conflict November 25, 2008 Dr. Judy Laws Graybridge Malkam

CSE/ISE 312 Chapter 5: Computer Crime. Outline Hacking Identity Theft and Credit Card Fraud Laws that Rule the Web

Bachelor of Laws Program Laws LL.B. Laws

Laws of Logic. Outline What are some of the laws of Logic? -Law of Non-Contradiction -Law of Identity -Law of Rational Inference -Law of the Excluded

Politics of Identity: Unfolding the Identity of the

Do Data Breach Disclosure Laws Reduce Identity Theft?rtelang/JPAM_MS.pdf · A characteristic of these laws is that the residency of the consumer, rather than the location of the breach,

Verification of Identity - Land Services SA...Registrar-General's Verification of Identity Requirements Verification of Identity Page: 2 of 22 I have determined that the identity of

Financial Identity Fraud and Identity Theft Protection Act · 2017. 1. 7. · This presentation is not meant to serve as a substitute for reading the various laws discussed, ... FTC's

SUPERIOR COURT OF CALIFORNIA, COUNTY OF … · SUPERIOR COURT OF CALIFORNIA ... AFFIDAVIT OF IDENTITY AND ORDER ... I declare under penalty of perjury under the laws of the State

Mendel’s Laws of Genetics Mendel’s Laws of Genetics

Identity Tracking: An Extension of Identity … Tracking: An Extension of Identity Management ... SAP IDM Driver ... Identity Tracking: An Extension of Identity Management | 8