the laws of identity

Upload: peter-newton

Post on 05-Apr-2018

217 views

Category:

Documents


0 download

TRANSCRIPT

  • 7/31/2019 The Laws of Identity

    1/11

    The Law s of Ident i ty

    The Intern et was bui l t w i thout a w ay to know w ho and w hat you are connect ing to . This l imw hat w e can do w ith i t and exposes us to grow ing dangers . I f w e do nothing, w e wil l face rapidpr ol i ferat ing episodes of thef t and d ecept ion w hich w il l cumulat ively erode publ ic t rust in t

    In te rne t .This paper is about how w e can pr event that loss of t r ust and go forw ard to give Internet users deep sense of safety, pri vacy and cert ainty about w ho they are r elati ng to in cyber space. Nothi ncould be m ore essent ial if new W eb-based services and appli cation s ar e to conti nue to m ovebeyond cyber p ublication and encompass all ki nd s of int eraction and services. Our appr oach habeen t o develop a form al under standing of the dy nami cs causing digital id entit y system s to succeeor fail in variou s cont exts, expressed as the Law s of Identity . Taken together, these law s define unifyin g ident i ty m etasystem t hat can offer th e Internet t he ident i ty layer i t so obviously r equires

    Problem StatementThe Internet w as bui l t w i thout a way to know w ho and w hat you are connect ing to .

    A patchw ork of ident i tySince this essent ial capabili t y i s missing, every one offerin g an Int ernet ser vice has had to come uw ith a w ork around . It i s fair to say that tod ays Intern et, absent a native identit y layer , is based onpatchwor k of id ent i ty one-offs.As peoples use of the w eb broadens, so does their exposur e to these w or kar ound s. Thou gh no oneis to blame, th e result i s per nicious. Hun dr eds of mi ll ions of people have been tr ained to accepanything any si te w ants to thr ow at them as being the nor mal w ay to conduct business onl inThey have been taught t o type their names, secret passw ord s and personal identifyi ng inform atiointo a lmost any inp ut form that appears on t heir screen.There is no consistent and comp rehensible f ramew ork al low ing t hem t o evaluate the authent ic i tof the sites they visit , and they don t have a reliable w ay of know ing w hen they are disclosinpr ivate inform at ion to i l legi t im ate par t ies. At the same t ime they lack a framew ork for control lor even rem emberi ng the many d ifferent aspects of their di gital existence.

    Crim inal izat ion of the Inter netPeople have begun to use the Int ernet t o m anage and exchange things of pr ogressively greater r eal-w orld v alue. This has not gone unnoti ced by a crim inal fri nge w hich under stand s the ad hoc anvulnerable nature of the ident i ty patchw ork and how to subvert i t . These cr im inal forces havincr easingly pr ofessionalized and or ganized them selves int ernati onally.Individ ual consumers are t r icked i nto r e leasing banki ng and other in form at ion thr ough Phishinschemes w hich take advant age of their inabili ty to t ell w ho they are dealing w ith . They are alinduced to inadvertent ly ins ta l l spyware which res ides on their computers and harvest

    infor m ation in long term Phar m ing attacks. Other schem es successfully target cor por atgovernment and educational databases with vast identity holdings, and succeed in stealinghun dr eds of thousands of identit ies in a single blow . Cri m inal organizations exist to acquir e theidentit ies and resell them to a new breed of innovators expert in using them to steal as much aspossible in t he shor test possible t i m e. The inter nation al character of t hese netw ork s makes themincr easingly difficult to penetr ate and dismant le.

  • 7/31/2019 The Laws of Identity

    2/11

  • 7/31/2019 The Laws of Identity

    3/11

    Consumer fears about the safety of the Internet prevent many from using credit cards to makeonlin e pur chases. Incr easingly, m alw are and i dentit y theft have made pr ivacy issues of paramou nconcer n to every In tern et user . This has resulted in i ncreased aw areness and r eadin ess to r espon dto larger p r ivacy issues.As the vir tual w orld has evolv ed, pr ivacy specialists have developed nuanced and w ell-reasone

    analyses of identit y from the point of view of the consumer and cit izen. In r esponse to theint erventi on, legal thin kers, governm ent p olicy m akers, and elected r epresent atives have becomincr easingly aw are of the many diffi cult pr ivacy issues facing society as w e sett le cyberspace. Thhas already led to vendor sensiti vity and govern m ent int ervent ion, and m ore is to be expected.In summary, as grave as the dangers of the current situation may be, the emergence of a singlesimp listic digital identit y solution as a universal panacea is not r ealistic.Even i f some m ir acle occurr ed and t he var i ous players could w ork out some kin d of br oad crossector agreem ent about w hat constit utes perfection in on e countr y, the pr obabili ty of extendinthat un iversal ly acr oss internat ional bord ers w ould be zero.

    An iden t i ty m etasystemIn the case of digital identity, the diverse needs of many players demand that we weave a singleident ity fabr ic out of m ulti ple constit uent technologies. Alth ough thi s m ight ini t ially sedaunt ing, simi lar th ings have been done m any ti m es before as com put ing has evolved.For i nstance, in t he early d ays of personal comput ing, application b uild ers had to be aw are of w htyp e of video display w as in use, and of th e specific characteristics of the storage devices that w erinstalled. Over t im e, a layer of softw are em erged that w as able to pr ovid e a set of ser viceabstr acted fr om t he specificit ies of any given hard w are. The technology of device dr iver s enablint erchangeable hard w are to be plugged in as r equir ed. H ardw are becam e loosely coupled t o thcomp uter a l lowi ng i t t o evolve quickly since appl icat ions did n ot need to be r ew ri t ten to taadvantage of new featur es.The same can be said about t he evolut ion of netw ork ing. At one tim e applications had to be aw arof the specific netw ork devices in use. Event ually the uni fyin g technologies of sockets and TCP/emerged, able to w ork w it h m any specific underlyi ng system s (Tok en Ring, Ethernet, X.25 anFram e Relay) and even w ith systems, l ik e w ir eless, that w ere not yet in vented.Digital identit y requir es a simi lar app roach. W e need a uni fyin g identi ty m etasystem that caprotect applications from the internal complexities of specific implementations and allow digiident ity to b ecom e loosely coupled. This m etasystem i s in effect a system of system s that exposes uni fied inter face m uch like a device dr iver or n etw or k socket does. That allow s one-offs to evoltowards s tandardized technologies that work within a metasystem framework without requir inthe w hole w orld t o agree a pr ior i .

    Und erstan ding the obstaclesTo r esta te our ini t ia l pr oblem, the role of an i dent i ty m etasystem is to pr ovide a re l iable w ay

    establ ish w ho is connect ing w ith w hat anyw here on the Intern et .We have observed that various types of systems have successfully provided identification ispecific cont exts. Yet despit e th eir success th ey have failed t o att r act usage in ot her scenar iosW hat factor s explain t hese successes and failur es? M oreover, w hat w ould be t he characteri stics oa solution t hat w ould w ork at intern et scale? In answ ering these questions, ther e is much to blear nt from the successes and failures of vari ous appr oaches since the 19 70s.This inv estigation has led to a set of ideas called th e Law s of Identi ty . W e chose the w ord lawin t he scientific sense of hypot heses about the w or ld resultin g from obser vation w hich can b

  • 7/31/2019 The Laws of Identity

    4/11

    tested and ar e thu s dispr ovable. The reader should bear in m ind th at w e specifically did not w anto denote legal or m oral pr ecepts , nor embark on a discussion of t he phi losophy of ident i ty .These law s enum erate the set of objective dy nami cs definin g a digit al identit y m etasystem capablof being w idely enough accept ed that i t can serve as a backp lane for d istr ibut ed com put ing on aInt ernet scale. As such, each law ends up givin g ri se to an architectur al pri nciple guiding th

    constructi on of such a system.Our goals are pr agm atic. W hen w e postulate the Law of User Control and Consent, for exam ple, i t because experi ence tells us: a system t hat does not p ut u sers in contr ol w ill im m ediately or ovetim e - be rejected by enough of them th at i t cann ot becom e and r emain a uni fyin g technology. Howthi s law m eshes w ith values is not t he relevant i ssue.Like the other law s, th is one represents a contour l im it ing w hat an ident i ty m etasystem must lool ike - and must n ot look l ike - g iven t he many social form at ions and cul tur es in w hich i t m ust able to operate. Und erstanding the laws can help elimin ate a lot of doom ed pr oposals before ww aste too much t ime on them.The law s are testable. They allow us to pr edict outcomes and w e have done so consistently sincpr oposing them . They ar e also objective, i .e. they existed and operated before they w erefor m ulated . Th at is how th e Law of Justi fiable Part ies, for examp le, can accoun t for t he successeand failur es of Mi crosofts Passpor t id entity system .The Law s of Identit y, taken together, define the ar chitectur e of the Inter nets mi ssing identit y laye

    W ords that a l low dialogueM any people have thou ght about identi ty, digit al ident it ies, personas and repr esentations. Inpr oposing the law s w e do not expect to close thi s discussion. How ever, in keeping wi th thpr agm atic goals of thi s exercise w e define a vocabular y that w ill allow the law s themselves to bunders tood.

    W hat is a digi ta l ident i ty?W e w ill begin by definin g a digit al identit y as a set of claim s made by one digit al subject about i t sor anoth er digit al subject. W e ask the reader to let us define w hat w e m ean by a digital subject ana set of claims before exam ini ng thi s fur ther .

    W hat is a digital subject?The Oxfor d English Dictionar y (OED) defines a subject t his w ay:"a person or thi ng that is being discussed, described or dealt w ith ."So w e define a digit al subject as:a person or thing represented or existing in the digital realm which is being described or deaw i t h " .Much of the decis ion-making involved in d is t r ibuted comput ing is the resul t of "d eal ing w ithini t i a tor or requester. And i t i s w ort h point ing out that the digi ta l w orld includes many subje

    w hich need t o be "deal t w i th" other than hum ans, including: devices/ comp uters (w hich allow us to penetr a te the digi ta l realm in the f i rs t p lace) digi ta l resources (w hich at t ract us to i t ) policies and r elation ships betw een other digit al subjects (e.g. betw een hum ans and devicesor d ocuments or services).The OED goes on to define subject, in a philosophical sense, as the "central substance or core of athi ng as opposed to i t s att rib utes". As w e shall see, "attr ibut es" are the thi ngs expr essed in claim sand t he subject is th e centr al substance thereby descr ibed.

  • 7/31/2019 The Laws of Identity

    5/11

    W hat is a c la im ?A claim is:"an asser t ion of the t r uth of something, typical ly one w hich is disputed or in d oubt" .Some exam ples of claim s in the digital realm w ill l ik ely help:

    A claim could just convey an identi fier - for exam ple, that the subjects student num ber 490-525, or th at the subjects W indow s name is REDMOND\ kcam eron. This is the w ay manexis t ing ident i ty systems w ork . Anot her claim might assert that a subject kn ow s a given key and should be able todemon strate this fact. A set of claim s m ight convey personally ident ifying infor m ation name, addr ess, date bir th and cit izenship, for example. A claim might simp ly pr opose that a subject is part of a cert ain group for exam ple, th at shhas an age less th an 16 . And a claim might state that a subject has a cer tain capabili t y for exam ple to place ord erup t o a cer t a in l imi t , or m odify a given f i le .The concept of being in doubt " grasps the subt let ies of a dis t r ibut ed w orld l ike the Intern eClaims need to be subject to evaluation by th e part y depending on them. The mor e our n etw orkare federated and open to p arti cipation by m any different subjects, the mor e obvious this becom esThe use of the w ord claim is therefore m ore appr opria te in a dis t r ibu ted and federatedenvir onm ent than altern ate w ord s such as asserti on, w hich m eans a confident and for cefustatement of fact or belief" . In evolvin g from a closed dom ain mod el to an open, feder ated modthe si tuat ion is t r ansform ed into one w here the par t y m aking an asser t ion and th e par t y evaluat init m ay have a comp lex and even ambi valent r elation ship. In t his cont ext, assert ions need alw ays bsubject to d oubt - not only doubt that they have been t r ansmit ted f rom the sender t o the r ecipienint act, but also doubt t hat they are tr ue, and doub t th at they are even of r elevance to the recipient.

    Advan tages of a claims-based definit ionThe def ini t ion of digi ta l ident i ty employed here encompasses a l l the know n d igi tal id ent i ty systeand therefore al low s us to begin to un ify the r a t ional e lem ents of our patchwor k conceptual ly. a llow s us to def ine digi ta l ident i ty for a metasystem embracing mult ip le implementat ions and w aof doing thin gs.In p roffer ing this definit ion , w e r ecognize i t does not j i ve w ith some w idely held beliefs exam ple that w ith in a given context, identit ies have to be unique. M any early systems w ere buiw ith t his assum pti on, and it is a crit ically useful assump ti on in m any cont exts. T he only err or isthin king i t i s mandatory for a l l contexts .By w ay of exampl e, consider the relation ship betw een a com pany lik e Microsoft and an analyser vice that w e w ill call Cont oso Analyti cs. Let 's suppose M icrosoft contracts w it h ContoAnalyti cs so anyone from M icrosoft can r ead it s rep ort s on ind ustr y tr ends. L et 's suppose also tha

    Mi crosof t doesn ' t w ant Contoso Analyt ics to kn ow exact ly w ho at M icrosof t has w hat int erestsreads w hat reports .In t his scenar io w e actual ly do n ot w ant to employ unique ind ividual ident i f iers as digi ta l ident i tCont oso Analyti cs sti l l needs a w ay to ensur e that on ly valid customers get to i t s r eport s. But i n thexample, digi ta l ident i ty w ould best be expressed b y a very l im ited c laim - the c laim that t he digisubject curr ently accessing the site is som e Microsoft emp loyee. Our claim s-based appr oachsucceeds in t his regard . It perm its one digit al subject (M icrosoft Corp orati on) to asser t thin gabout another d igi ta l subject w i thout using any u nique ident i f ier.

  • 7/31/2019 The Laws of Identity

    6/11

    This definit ion of digit al identit y calls upon us to separate cleanly the pr esentation of claims frothe provabi l i ty of the l ink t o a real w orld object .Our definit ion leaves the evaluation of the usefulness (or the tr uthful ness or t he tru st-w ort hin esof the claim t o the relying part y. The tr uth and possible l in kage is not in th e claim , but r esults frothe evaluation. If the evaluatin g party d ecides i t should accept the claim being made, then th i

    decision just r epresents a furth er claim about the subject, thi s t im e made by the evaluating part y (may or m ay not be conveyed fur ther) .Evaluation of a digital identit y thus r esults in a sim ple tr ansfor m of w hat i t starts w it h agapr oducing in a set of claims made by one digit al subject about another . M atters of tr ust , attr ibut ioand usefulness can then be factored out and addressed at a higher layer in the system than them echanism for expr essing digital identit y i tself .

    The Law s of Ident i tyW e can n ow look at t he seven essential law s that explain t he successes and failur es of digitaidentity systems.

    1 User Cont rol an d ConsentTechni cal ident ity systems must only r eveal infor m ation id entifyin g a user w ith t he user s conse(Bl ogospher e discussion star ts her e...)No one is as pivotal to the success of the identity metasystem as the individual who uses i t . Thsystem m ust first of all app eal by m eans of convenience and simp licity. But to endur e, i t m ust earthe user s tru st above all .Earn ing this t r ust requires a hol ist ic comm itm ent . The system m ust be designed to put the user icontr ol - of w hat digit al identit i es are used, and w hat infor m ation is released.The system m ust also pr otect the user against decepti on, veri fying the identi ty of any part ies w hask for inform at ion. Should the user d ecide to supply ident i ty in form at ion, there must be no douthat i t goes to th e r ight place. And the system n eeds mechanism s to make the user aw are of thepur poses for w hich any inform at ion is being col lected.The system must inform the user when he or she has selected an identity provider able to trackintern et behavior.Further, i t must reinforce the sense that the user is in control regardless of context, rather thanarbi t r ar i ly a l ter i ng i ts contr act w i th t he user. This m eans being able to support user consent ienterp ri se as w ell as consum er envir onm ents. I t is essential to r etain the paradigm of consent evenw hen refusal might br eak a comp anys condi t ions of emp loyment . This serves both to in form temployee and indem nify the employer.The Law of User Cont r ol and Consent allow s for t he use of mechanisms w hereby th e m etasystemremembers user decisions, and users may opt to have them applied automatically on subsequentoccasions.

    2 M inim al Disclosure for a Constra ined UseThe solut ion w hich discloses the least amount of id ent i fying inform at ion and best l imi ts i t s usethe m ost stable long ter m solution. (Start s here...)W e should build systems that employ i denti fying infor m ation on the basis that a br each is alw apossible. Such a br each repr esents a ri sk. To m iti gate risk, i t i s best to acquir e inform ation only oa need to know basis, and to retain i t on ly on a need to retain b asis. By follow ing thepr acti ces, w e can ensur e the least possible dam age in t he event o f a br each.

  • 7/31/2019 The Laws of Identity

    7/11

    At th e sam e tim e, the value of identify ing infor mation d ecreases as the am ount d ecreases. Asystem bui l t w i th t he pr in ciples of inform at ion mi nim alism is therefore a less a t t ract ive target ident i ty thef t , reducing r isk even fur ther.By limiting use to an explicit scenario (in conjunction with the use policy described in the lawcontr ol) , the effect iveness of the need t o know p r in ciple in r educing r isk is fur th er m agnif i

    There is no longer the possibili ty of collecting and keeping information just in case i t might oday be required.The concept of least identi fying infor m ation should b e taken as m eanin g not only t he few enumber of c la ims, but the informat ion least l ikely to ident i fy a given individual across mult icontexts. For example, if a scenario r equir es pr oof of being a certain age, then it is bett er to acquirand store the age category r ather than th e bir th d ate. Date of bir th is m ore l ikely, in associati ow ith other c laim s, to un iquely ident i fy a subject , and so repr esents mor e ident i fying inform at iw hich should be avoid ed if i t is not needed.In t he same w ay, uni que identi fiers that can be reused in ot her contexts (for exampl e dr iversl icense numbers , social secur i ty num bers and the l ike) r epresent m ore ident i fying in form at iothan un ique special-pur pose ident ifiers that do not cr oss context. In t his sense, acquir ing andstoring a social security number represents a much greater risk than assigning a randomlygenerated s tudent or employee num ber.Num erous ident i ty catast r ophes have occurr ed w here this law has been br oken.W e can also expr ess the Law of M inim al Disclosur e this w ay: aggregation of id entifyin g inform atalso aggregates r isk. To m ini m ize r isk, m ini m ize aggregation.

    3 Justifiable Par tiesDigi ta l ident i ty system s must be designed so the d isclosure of ident i fyin g inform at ion is l im itedpart ies havin g a necessar y and justifiable place in a given id entity relationship . (Start s here...)The ident i t y system m ust make i ts user awar e of the par ty or par t ies wi th w hom she is in teract inw hile shar i ng inform at ion.The just i f icat ion requirements apply both to the subject who is disclosing informat ion and threlying par ty w ho depends on i t . Our exper ience w ith M icrosof t s Passport is inst r uct ive in t hr egar d. In ter net user s saw Passpor t as a conv enient w ay to gain access to MSN sit es, and t hose sit esw ere happy using Passport to t he tune of over a bi l l ion in teract ions per day. How ever, i t d id nom ake sense to m ost non-M SN sites for M icrosoft to be inv olved in their custom er relation ships. Nw ere users clamor ing for a single Micr osoft identity service to be aw are of all their In ternacti vit ies. As a r esult , Passport failed in i ts mi ssion of being an identi ty system for the Int ernet.We w il l see many mor e examples of this law going forw ard. Today some governm ents are think inof operatin g digital identit y ser vices. I t m akes sense (and is clear ly justifi able) for people to ugovern m ent- issued ident i t ies when doing business wit h the govern ment . But i t w i l l be a cul turmatter whether, for example, cit izens agree i t is "necessary and justifiable" for governmenident it i es to be used in contr olling access to a fam ily w ik i or connectin g a consumer t o her hobb

    or v ice.The same issues wi l l confr ont in term ediar ies bui lding a t r ust fabr i c . The law is not in tended suggest l im ita t ions of w hat is possible , but ra ther to out l in e the dynamics of w hich w e must baware.We know from the law of control and consent that the system must be predictable and"tr anslucent" in or der to earn t r ust . But the user n eeds to unders tand w ho she is deal ing wit h foother r easons, as w e w il l see in law s ix (human in tegrat ion) . In t he physical w orld w e ar e able

  • 7/31/2019 The Laws of Identity

    8/11

    jud ge a si t uat ion an d d ecid e w hat w e w an t t o d i scl ose ab out our selves. Th is has i t s an al ogy indigit al justifi able part ies.Every par ty to disclosure m ust pr ovide the disclosing par t y w ith a pol icy s ta tem ent abouinfor m ation use. This policy should govern w hat happens to disclosed inform ation. One can viethi s policy as definin g "delegated r ights" issued by the disclosing p arty .

    Any use pol icy w ould a l low al l par t ies to cooperate w ith authori t i es in t he case of cr im ininv estigations. But th is does not m ean the state is part y to the identit y relationship . Of course, thshould be m ade expl ic i t in the pol icy under w hich inform at ion is shared.

    4 Di rected Iden t i tyA universal ident i ty system must support both omni-direct ional ident i f iers for use by pubentit ies and unidirectional identifiers for use by private entit ies, thus facil i tating discovery wpr eventi ng un necessar y release of corr elation hand les. (Start s her e...)Techni cal identi ty is alw ays asser ted w ith r espect to some other identi ty or set of identi t ies. Tmake an analogy w ith t he physical w orld , w e can say id ent i ty has direct ion, not jus t m agni tudOne special "set of ident it ies" is that of all other id entit ies (t he public). Other im por tant sets ex(for example, the ident i t ies in an enterpr ise , some arbi t rary dom ain, or i n a peer group) .Ent i t ies that are publ ic can have ident i f iers that are invar iant and w ell -know n. These publident ifiers can be thought of as beacons em itt ing ident ity t o anyon e w ho show s up. And beaconare "omni dir ect ional" ( t hey are w il l ing to r eveal their exis tence to the set of al l o ther ident i t ies) .A corpor ate w eb site w ith a w ell-know n URL and public key cer tifi cate is a good examp le of sucpub lic entit y. There is no advantage - in fact ther e is a great disadvant age - in changing a publiURL. It is f ine for every visit or to th e site to exam ine the pub lic key cert ificate. I t is equaaccept able for everyone to k now the site is there: i ts existence is publi c.A second exam ple of such a public enti ty is a publ icly visible device l ike a video pr ojector . Tdevice sits in a conference room in an enterpr ise. Visitor s to the conference room can see thepr ojector and it offer s digital services by advert ising itself to those w ho com e near i t . In ththin king out l in ed here, i t has an omni -direct ional ident i t y.On the other hand , a consum er visit ing a corp orate w eb site is able to use the identit y beacon of th asite to decide w hether she w ants to establish a r elation ship w ith i t . Her system can th en set up a"unid ir ect ional" ident i ty r e lat ion w ith t he si te by select ing an ident i f ier for use w ith t hat si te andother. A unid ir ect ional ident i ty r e la t ion w ith a different s ite w ould involve fabr i cat ing a comp leunr elated id entifier . Because of this, ther e is no corr elation handle em itt ed that can be sharedbetw een sit es to assemble pr ofile activ it i es and pr eferences int o super-dossiers.W hen a compu ter user enters a conference room equipp ed w ith t he projector descr ibed above, i tsomn i-dir ect ional ident i ty beacon could be ut i l ized to d ecide (as per the law of control) w hether sw ants to interact w ith i t . If she does, a short -l ived unidi r ection al identi ty relation could establ ished betw een t he comp uter and the pr ojector - p rovid ing a secure connect ion w hiledivulging the least possible ident i fying inform at ion in accord ance w ith t he law of mi nim

    disclosure.Bluetooth and other w ir eless technologies have not so far confor m ed to the four th law . They uspub lic beacons for pr ivate entit i es. This explains the consum er backlash in novator s in these areaare cur ren t ly w rest l ing w i th .Public key cert ificates have the sam e pr oblem w hen used to identi fy indi vidu als in contexts wh epr ivacy is an issue. It m ay be mor e than coincidental that certi ficates have so far been w idely usew hen in conform ance w ith t his law ( i .e . in i dent i fying publ ic w eb si tes) and general ly ignored w hit comes to ident i fying pr ivate individuals.

  • 7/31/2019 The Laws of Identity

    9/11

    Anot her exam ple involv es the pr oposed usage of RFID technology in passpor ts and student t r acki napplications. RFID devices curr ently em it an omni -dir ection al publ ic beacon. This is nappropr ia te for use by pr ivate individuals.Passpor t r eaders are public devices and t herefore should employ an omn i-dir ecti onal beacon. Bupasspor ts should on ly respond to tr usted readers. They should not be em it tin g signals to any

    eavesdr opper w hich identify their bearers and peg them as nation als of a given count r y. Exam plehave been given of unm anned devices w hich could be detonated by th ese beacons. In Califor nia ware already seeing the first legislative measures being taken to correct abuse of identitydir ection ality. I t show s a failure of vision am ong technologists that legislator s under stand theissues befor e w e do.

    5 Plural ism of Operator s and T echnologies:A universal ident i ty system must channel and enable the interworking of mult iple ident itechnologies ru n by m ult iple identi ty pr ovider s. ( Start s here...)I t w ould be nice i f there w ere one w ay to express ident i ty. But the num erous contexts in w hicident i ty is requir ed wont a l low i t .One reason there will never be a single, centralized monolithic system (the opposite of am etasystem) is because the characteristics that w ould m ake any system i deal in on e context w ildisqual i fy i t in another.I t makes sense to employ a govern ment issued digi ta l ident i ty w hen interact ing w ith governm eservices (a single overall identity neither implies nor prevents correlation of identifiers betweindivi dual govern m ent depar tm ents) .But in many cultur es, employers and employees w ould not feel comfor table using govern menident i f iers to log in a t w ork. A govern ment id ent i f ier mi ght be used to convey taxat ion in form at ii t m ight even be requir ed w hen a person is f i rs t offered employm ent . But the context oemployment is suff ic ient ly autonomous that i t warrants i ts own ident i ty, f ree f rom daiobser vation via a governm ent-r un technology.Customers and individ uals brow sing the w eb meanw hile w il l in many cases w ant higher levels pr ivacy than is l ikely to be pr ovided by any emp loyer.So when i t comes to digi ta l ident i ty, i t i s not only a mat ter of having ident i ty providers run different parties (including individuals themselves), but of having identity systems that offdifferent (and potent ia l ly contr adictory ) features.A uni versal system m ust embr ace differentiation , w hile recognizin g that each of us isimu ltaneously - in differ ent cont exts - a cit i zen, an emp loyee, a custom er, a vir tual p ersona.This demonstrates, from yet another angle, that different identity systems must exist in am etasystem. It im plies w e need a sim ple encapsulating pr otocol (a w ay of agreeing on andtr ansporti ng things). W e also need a w ay to surface infor m ation thr ough a uni fied user experiencthat allow s ind ivid uals and organization s to select appr opr iate identi ty pr ovider s and featur es athey go about t heir daily activi t ies.

    The universal ident i ty m etasystem mu st not be another m onol i th . I t m ust be polycentr i( federat ion im plies this) and also polymor phic (exist ing in different form s) . This w il l a l low ident ity ecology to emerge, evolve and self-organize.Systems lik e RSS and H TM L are pow erful because they vehicle any content. W e need t o see thaidentity i tself will have several - perhaps many - contents, and yet can be expressed in ametasystem.

    6 Hum an In tegra t ion :

  • 7/31/2019 The Laws of Identity

    10/11

    The universal ident i ty metasystem must def ine the human user to be a component of thedis t r ibut ed system integrated thr ough unambiguous human-machine comm unicat ion mechanismoffer in g pr otection against ident ity att acks. (Star ts her e...)W e have done a pr etty good job of secur ing the chann el betw een w eb servers and br ow ser sthr ough the use of crypt ography a chann el that m ight extend for t housands of m iles. But w e hav

    failed to adequately prot ect th e tw o or thr ee foot channel betw een th e brow ser s display and thbr ain of the hum an w ho uses i t . Thi s im m easurably short er chann el is the one under attack fromphishers and p harmers .No w ond er. W hat identi t ies is the user dealing w ith as she navigates the w eb? Howund erstandably is identi ty infor m ation conveyed to her ? Do our digital identity system s int erfaw ith users in w ays that object ive studies have show n to w ork ? Ident i ty inform at ion current ly takthe form of cer tifi cates. D o studies show cert ificates are meaningful t o users?Wh at exact ly are w e doing? Wh atever i t i s , w eve got to d o i t bet ter : the ident i ty system muextend to and integrate the hum an user.Carl Ellison and his colleagues have coined the ter m ceremon y to d escribe in teractions t hat spanmi xed netw ork of human and cybern et ic system comp onents the ful l channel f rom w eb server thum an brain . A cerem ony goes beyond cyber pr otocols to ensure the integr i ty of comm unicat iow ith the user.This concept calls for profoundly changing the user s experience so i t becomes predictable anunambiguous enough to a l low for in form ed decis ions.Since the identi ty system has to w ork on all platfor m s, i t m ust be safe on all platfor m s. Thpr opert ies that lead to i ts safety can't be based on obscur ity or the fact that the und erlyin gplatform or sof tw are is unkn ow n or has a smal l adopt ion.One exam ple is United Air lines Channel 9. I t carr ies a l ive conver sation betw een th e cockp it ones plane and air t r affic contr ol. The conversation on t his channel is very i mp ort ant, technicand focused. Par t ic ipants don ' t chat - a l l par t ies know pr ecisely w hat to expect f rom the towand t he air plane. As a result , even though t here is a lot of r adio noise and static, i t i s easy for thpi lot and contr ol ler to pi ck out the exact content of the comm unicat ion. W hen things go w rong, tbroken predictabi l i ty of the channel marks the urgency of the s i tuat ion and draws upon everhum an faculty to und erstand and respon d to the danger . T he limi ted sem ioti cs of the channel meathere is very high re l iabi l i ty in comm unicat ions .We r equire the same k ind of bounded and highly pr edictable cerem ony for the exchange of ident i tinform at ion. A ceremon y is not a w hatever feels good sor t of th ing. I t i s predeterm ined.But isnt thi s l im itation of possibili t i es at odds w ith our id eas about comp utin g? Havent maadvances in comp uting come about thr ough ambigui ty and unint ended consequences w hich w oulbe ruled out in t he austere l ight of cerem ony?These are valid questions. But w e defini tely dont w ant unint ended consequences w hen figurinout w ho w e are ta lking to or w hat personal ident i f icat ion inform at ion to reveal .The quest ion is how to achieve very high levels of re l iabi l i ty in the comm unicat ion betw een t

    system and it s human users. In large part , thi s can be m easured objectively th r ough user t estin g.

    7 Consistent Experien ce Across Cont extsThe uni fyin g identity m etasystem m ust guar antee i ts users a simp le, consistent experi ence w hilenabling separation of contexts thr ough mu lti ple operator s and t echnologies.Let 's pr oject our selves int o a futu re w here w e have a num ber of contextual identit y choices. Foexample: brow sing: a sel f -asser ted ident i ty for explor in g the w eb (giving away no real data)

  • 7/31/2019 The Laws of Identity

    11/11

    personal : a sel f -asser ted ident i ty for s i tes w ith w hich I w ant an ongoing but pr ivatre lat ionship ( including my name and a long term email addr ess) comm unity : a publ ic ident i ty for col laborat ing w ith others pr ofessional: a publi c ident ity for collabor ating issued by m y employ er credi t card : an ident i ty issued by my f inancial ins t i tu t ion

    c i t izen: an ident i ty issued by my govern mentW e can expect that different indi vidu als w ill have different combi nation s of these digital ident itas w ell as others.To m ake thi s possible, w e m ust thi ngify digit al identi t ies m ake them i nt o thin gs the user see on t he deskt op, add and delete, select and share. How usable w ould t odays comp uter s be hadw e not in vented icons and lists that consistently repr esent folders and documents? W e must do thsam e w ith digi ta l ident i t ies.W hat typ e of digit al identity is acceptable in a given context? The pr opert ies of potent ial candid atw il l be specif ied by the w eb service f rom w hich a user w ants to obtain a service. Matchinthi ngified digital ident it ies can then be displayed to t he user, w ho can select betw een th em and usthem to und ers tand w hat informat ion is being requested. This al low s the user t o contr ol w hat released.Different r e lying par t ies w il l requir e different digi ta l ident i t ies. Tw o things are c lear : A s ingle re lying par ty w il l of ten w ant to accept mor e than one kin d of ident i ty; and A user w il l w ant to unders tand his opt ions and select the best ident i ty in contextPutti ng all the law s together , w e can see that t he request, selection, and pr offering of id entitinfor m ation m ust be don e such that th e chann el betw een th e part ies is safe. The user experi encemust also prevent ambiguity in the user s consent, and understanding of the parties involved andtheir pr oposed u ses. These option s need t o be consistent and clear. Consistency across contexts isrequir ed for t his to be done in a w ay that comm unicates unambi guously w ith t he human systemcomponents .As user s, w e need to see our variou s identit ies as part of an integrated w orld w hich none th e lesr espects our n eed for i nd ependent cont exts.

    ConclusionThose of us w ho w ork on or w ith id ent i ty systems need to obey the Laws of Ident i t y. Otherw ise, wcreate a w ake of reinfor cing side-effects that eventually und erm ine all r esulti ng technology. Thresul t i s s imilar to what would happen i f c ivi l engineers were to f lout the law of gravi ty. Bfol low ing them w e can bui ld a uni fying ident i t y m etasystem t hat is universal ly accepted anendur ing