Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

Identity without identifying

In the week that would have been their annual conference, EEMA have been hosting a series of fascinating online discussions among experts in the identity world. Today’s featured Steve Purser, Dave Birch and Kim Cameron in a deep discussion about whether we might have been looking at the wrong kind of “identity” all along…

The words “identity” and “identification” seem so close that it’s easy to think that the thing we really need to know is who someone is. And Governments, in particular, have spent a lot of effort in building systems to do that. But adoption of them has been, at best, slow and confined to relatively narrow niches. For many, perhaps most, applications, “who” is actually among the least useful things to know: often it’s not enough, sometimes it’s too much. In financial transactions we actually want to know whether someone is financially reliable; when granting access to data we want to know whether their role and other qualities entitle them to see it; in a bar we want to know whether someone is old enough to buy a drink.

The emergence of the Internet of Things makes this particularly obvious. We may well want to “authenticate” and “authorise” a car, a lightbulb or a fitness app, but this has nothing to do with its passport. On social media we might simply want to know “is the account I’m interacting with a human?”; if we’re taking a report from a whistleblower we want to know “do they work there?” but we must be able to guarantee that we cannot identify them. Technologies exist that can do this, but they’ve not been the focus of mainstream development.

Kim Cameron suggested going back, way back, to the definition of “identity”. According to the Oxford English Dictionary this has three strands: “selfness”/ sameness/individuality (a sense dating back to 1611); “whatness” (also 1611) and “whoness” (which appears in 1922). So far, identity technologies have been focussed on whoness: the thing we need when dealing with Government and colleagues. IoT and most other applications actually want whatness (interestingly this – is someone a student or staff member, are they entitled to a car parking permit – has been of interest in Research and Education). We need to do a lot more development of that and of the selfness that allows us to bring together the multiple strands of our “who” and “what” and control which we use in each context. A bar may get to see confirmation of drinking entitlement and perhaps a photo, as certified by the driving agency, but it does not need to see the rest of the information on our licence.

So, although identity technologies have already contributed a great deal to digital transformation of enterprises and government, there is still a lot to do. Virus lockdown has shown that organisations are at very different stages of that digital transformation. And, whereas previous digital identity transformations have focussed on organisations, this time we really need to consider personal digital transformation, too, and help individuals through it. Many of the problems in our current “identity” space actually derive from the two sides of the transaction being far out of step. Organisations may have transformed to demand digital identity, but the uncoordinated nature of this transformation has overwhelmed the individual, who has to deal with tens, hundreds or thousands of “transformed” entities. If every one presents different identity demands, it is little wonder that individuals cannot cope and either give up on digital services entirely, or use them in the most convenient/least secure way possible.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *