Identity without identifying

In the week that would have been their annual conference, EEMA have been hosting a series of fascinating online discussions among experts in the identity world. Today’s featured Steve Purser, Dave Birch and Kim Cameron in a deep discussion about whether we might have been looking at the wrong kind of “identity” all along…

The words “identity” and “identification” seem so close that it’s easy to think that the thing we really need to know is who someone is. And Governments, in particular, have spent a lot of effort in building systems to do that. But adoption of them has been, at best, slow and confined to relatively narrow niches. For many, perhaps most, applications, “who” is actually among the least useful things to know: often it’s not enough, sometimes it’s too much. In financial transactions we actually want to know whether someone is financially reliable; when granting access to data we want to know whether their role and other qualities entitle them to see it; in a bar we want to know whether someone is old enough to buy a drink.

The emergence of the Internet of Things makes this particularly obvious. We may well want to “authenticate” and “authorise” a car, a lightbulb or a fitness app, but this has nothing to do with its passport. On social media we might simply want to know “is the account I’m interacting with a human?”; if we’re taking a report from a whistleblower we want to know “do they work there?” but we must be able to guarantee that we cannot identify them. Technologies exist that can do this, but they’ve not been the focus of mainstream development.

Kim Cameron suggested going back, way back, to the definition of “identity”. According to the Oxford English Dictionary this has three strands: “selfness”/ sameness/individuality (a sense dating back to 1611); “whatness” (also 1611) and “whoness” (which appears in 1922). So far, identity technologies have been focussed on whoness: the thing we need when dealing with Government and colleagues. IoT and most other applications actually want whatness (interestingly this – is someone a student or staff member, are they entitled to a car parking permit – has been of interest in Research and Education). We need to do a lot more development of that and of the selfness that allows us to bring together the multiple strands of our “who” and “what” and control which we use in each context. A bar may get to see confirmation of drinking entitlement and perhaps a photo, as certified by the driving agency, but it does not need to see the rest of the information on our licence.

So, although identity technologies have already contributed a great deal to digital transformation of enterprises and government, there is still a lot to do. Virus lockdown has shown that organisations are at very different stages of that digital transformation. And, whereas previous digital identity transformations have focussed on organisations, this time we really need to consider personal digital transformation, too, and help individuals through it. Many of the problems in our current “identity” space actually derive from the two sides of the transaction being far out of step. Organisations may have transformed to demand digital identity, but the uncoordinated nature of this transformation has overwhelmed the individual, who has to deal with tens, hundreds or thousands of “transformed” entities. If every one presents different identity demands, it is little wonder that individuals cannot cope and either give up on digital services entirely, or use them in the most convenient/least secure way possible.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *