Here's an essay by Joi.... (I added my own 2 cents as a comment.)
I'm not Joi Ito, that's just my name.
There is a lot of talk about identity these days. You MUST remember that identities are like names. You are NOT your identity. Your identity points to you. Everyone has multiple identities. Roger Clark describes this as the difference between entities and identities. You are an entity. Your name, your role in the company, your relationship with your child, they are different identities. Multiples identities isn't just about having more than one email address or chat room nym. A multitude of identities is an essential component in protecting privacy and interacting in an exceedingly digital world.
When the privacy guidelines of the OECD were created, (over 20 years ago) we had main frames and no Internet and most of the personal information was collected and kept by governments, banks and very large institutions in big central computers and data mining this data was expensive and clunky. The notion of "data protection" and "control" made sense back then. They no longer do. With ubiquitous computing, decentralize databases, information stored and disseminated everywhere, it is exceedingly important to know that 1) once information is created, it exists forever and can not be "erased", 2) data ming will become cheaper and easier, 3) transborder data flows will become seamless, 4) profiling will become a common way for businesses and governments to efficiently focus their attention on people and groups that meet certain criteria.
What does this mean? The risk now is that you can be profiled and categorized in a variety of ways that can hurt your ability to travel, get a job, get insurance, get married, etc. for things that match a profile that increases risk to the establishment even if only in a statistical way. Interaction with radicals or reading of radical material could get you in this profile so the chilling effect on dissent will be real. It means that trying to "control information" once it is created is nearly impossible. The trick is to create as little information as possible and to make it as difficult to data mine as possible. If you need to prove you are old enough to drink, there should be an ID that does just that. The library doesn't need your national ID, just a membership card with a picture so they can authenticate you. If you're doing a cash/cash foreign exchange transaction, you should only need to prove that you have the cash or the underwriting of an institution with the cash to complete your end of the transaction. (Don't get me started on why I think money laundering laws are stupid. I'll do that in another post.)
My point is. We should have different ID's for our different roles. Each of these ID's will have a different bit of authentication and collateral attached to it.
If you deconstruct the different types of ID (got this from Eric Hughes) you get 4 basic types. Your physical ID (doctors knows this best), your network ID (phone number or IP address), financial ID (your bank has this info), and your legal id (government, school. IE are you married? A citizen? A graduate?) Different transactions require different attributes. If you're getting married, you probably care most about whether they are married to someone else. If you're doing a financial transaction, you are probably most concerned about whether they can cover their end of the transaction. If you are trying to identify a blogger, you probably care if they are the owner of the URL. You don't care if my real name is Joi Ito or where I live exactly. As a blog reader, you probably care if it is the same blogger that has posted all of the other blog entries on this blog.
That's why I have a problem with central ID systems. If some gives me a certificate from Verisign that says, "I Verisign assert that this is Joe Shmoe from the Canary Islands and I Verisign do not guarantee or offer any liability coverage if he hurts you or even if it turns out that he's not REALLY Joe Shmoe." How much use is that? Even if he IS Joe Shmoe, I don't care where he lives if I can't do anything about it. I'd much rather see a link from a blog that I know saying, "this Joe Shmoe and I vouch for him!" Or go to a party and have everyone say, "you should meet Joe Schmoe, I've know him for years and I think he's great." Or if I'm trying to have a financial transaction, have his bank provide my bank with a guarantee. You get the idea. The only people who need access to your "entity" are people who have the power to throw you in jail or need to collect on long term contracts and liabilities. for MOST transactions, your physical location is not relevant or useful.
The other important thing from a privacy perspective is that you don't want all this stuff getting linked together. Organized crime is already using personal information to blackmail people. One common "query" is, "find me all company directors who are in debt and have families." They buy these liabilities and "collect" using blackmail. Your "I'm a papa" ID and your "I've borrowed money" ID and your "I am a board member of Foo. Co." ID don't necessarily need to be linked. Life would go on without these links. Yes, it would slow down projects like TIA and yes central id's are convenient, but traditional investigative crime fighting has more tools than ever before without making it so easy that criminals can use it and political groups in government can abuse it.
In Japan there is a left-wing newspaper called Akahata. The list of subscribers is tracked by the police and leaked to big company HR divisions. If you subscribed, you often can't get a job at a big company. If your parents subscribed, you can't become a public prosecutor. Now imagine that they do this by hand now. Imagine what would happen if they could instantly come up with "negative profile queries" and "filter." What you read today, write today, who you meet, have lunch with, post on your blog and later erase, where you wandered, who you rented your apartment too. They could ALL cause you children to be "filtered".
There is another issue. Identities are easy to forge. You can make the technology as robust as you want, but the chain is as weak as the weakest link. Biometrics on a ID card only prove that you're the one that the card was issued to. It doesn't prove that the issuer issued it to the right person. (Good article in The Register about this. Thanks Peter.) The point of data entry is still VERY weak in most systems. Over 10% of Canadian SS#'s are fake. These centralized ID systems to be used for "everything" increase the value of compromising the point of entry into the database. The better architecture is a variety of ID's suited and designed for specific types of transactions and interactions with a distributed network of authenticators and points of data entry.
If you need an id with biometrics and for financial transactions, a bank and a hospital should jointly issue ID's. This would be much more robust than some biometric ID issued at some government office.
Anyway, I rant and rave about this stuff in my "privacy experts" circles, but I realized that I hadn't ranted here recently. So as we think about FOAF, cameras pointing at my face, location moblogging, it is essential not to forget that WE need to be in control of what information we create and how this information is tagged stored and authenticated. Peer-to-peer / end-to-end thinking is essential for privacy as well. Make client software that collects information from catalogs and locally recommends stuff to you, not central servers of user profiles. Empower the people, not the merchants and the governments.
Got the idea for the title of this item when acrobat told Anita that she wasn't Anita, but that was her name. ;-)
Comments (3)
◊----»
On July 16, 2003 10:49 AM Stuart Woodward said:
I wonder if you can buy gift subscriptions for Akahata. :-)
◊----»
On July 16, 2003 11:17 AM Dirk said:
This is a non-trivial problem, and intuitively I feel the multiple ID technique is a temporary workaround, not a long term solution.
Two major challenges come to my mind: 1) aggregation and inference of information from the 4 atomic types of ID can expose the entity; 2) the legitimate need to access more than one ID type in a single transaction
I really don't know how "empowering the people" would help though. Fair and explicit regulations (laws) regarding the management (collection, access and storage etc) of personal information and a transparent identity management framework seem required here, not playing cat and mouse with the government, corporations or whatever.
Dirk (who subscribes to Akahata and has a family member writing for them... see you at "Hello Work" soon :-)
◊----»
On July 16, 2003 01:38 PM Marc Canter said:
Dude,
You used a buzzword without defining it: OECD. But besides that - right on.
I know on one side we don't want to link up identities, but what if you WANT to link up identities? As long as we put on the right controls, we 'should' be able to keep out the regulators, pay collectors and bible salesmen - while uniting artists, resume publishers and social scientists.
Remember this ID game has been going on for a long time - from the moment you're born - a SS # is stamped on your head. So any attempt at establishing new ID systems, must take into account all that has transpired so far.
Multiple IDs (or avatars) is the way to go. It's the only model that models the real world.
Trackbacks (1) Joi on entity and identity, and Jay on profile tooExcerpt: I think some of these words have different shades of meaning in different contexts, but I think the boundaries between entity, identities and profiles is somewhat unclear.
Weblog: the iCite net development blog
Tracked: July 16, 2003 11:56 AM
By Joichi Ito
jito@neoteny.com. [
Joi Ito's Web]
