Privacy, security and "trust" researchers and policy workers may be interested in my new work "Identity evolves: Why Federated Identity is easier said than done".
I presented this paper at the AusCERT conference last week (beware, it's long, but a condensed version is coming).
The privacy impacts of federated identity and trendy new "trust ecosystem" models (like the US National Strategy for Trusted Identities in Cyberspace, NSTIC) are complex. The biggest problem I believe is that many have underestimated the deep changes wrought by federated identity, and how it radically alters traditionally close bilateral relationships and information flows.
I worry that the term "ecosystem" is much overused. If we actually think ecologically, then it looks like we can reach interesting and novel conclusions!
Why does digital identity turn out to be such a hard problem? People are social animals with deep seated intuitions and conventions around identity, but exercising our identities online has been hugely problematic. In response to cyber fraud and the password plague, there has been a near universal acceptance of the idea of Federated Identity. All federated identity models start with the intuitively appealing premise that if an individual has already been identified by one service provider, then that identification should be made available to other services, to save time, streamline registration, reduce costs, and open up new business channels. It’s a potent mix of supposed benefits, and yet strangely unachievable. True, we can now enjoy the convenience of logging onto multiple blogs and social networks with an unverified Twitter account, but higher risk services like banking, e-health and e-government have steadfastly resisted federation, maintaining their own identifiers and sovereign registration processes.
This paper shows that federated identity is really a radical and deeply problematic departure from the way we do routine business. Federation undoes and complicates long standing business arrangements, exposing customers and service providers alike to new risks that existing contracts are unable to deal with. Identity federations tend to overlook that identities are proxies for relationships we have in different contexts. Business relationships don’t easily “interoperate”. They can’t be arbitrarily tweaked to suit different contexts, because each relationship has evolved to fit a particular niche. While the term identity “ecosystem” is fashionable, genuine ecological thinking has been lacking in contemporary identity theory. The alternative presented here is to conserve business contexts and replicate existing trusted identities when we go from real world to digital, without massively re-engineering traditional business practices.
The password plague and ‘token necklace’ have elicited a sort of broad moral panic, yet they are essentially just human factors engineering problems. Traditional access control was devised for and by technicians; consumer authentication demands better user interfaces. The real problem lies not in identity issuance processes but rather in the way perfectly good identities once issued are taken ‘naked’ online where they’re vulnerable to takeover and counterfeiting. If we focused on conserving context and replicating existing real world identities in non-replayable forms, most routine transactions could take place safely online, without the incalculable cost of re-engineering proven business arrangements.
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy. Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.