[LINK] A new ecological theory of identity

Stephen Wilson swilson at lockstep.com.au
Sat Jun 18 14:02:10 AEST 2011 

Some Linkers may be interested in my new work "Identity evolves: Why 
Federated Identity is easier said than done". I presented this paper at 
the AusCERT conference last week (beware, it's long, but a condensed 
version is coming).

See 
http://lockstep.com.au/library/identity_authentication/an-ecological-theory-of-digit

Cheers,

Steve Wilson
Lockstep.


Abstract

Why does digital identity turn out to be such a hard problem? People are 
social animals with deep seated intuitions and conventions around 
identity, but exercising our identities online has been hugely 
problematic. In response to cyber fraud and the password plague, there 
has been a near universal acceptance of the idea of Federated Identity. 
All federated identity models start with the intuitively appealing 
premise that if an individual has already been identified by one service 
provider, then that identification should be made available to other 
services, to save time, streamline registration, reduce costs, and open 
up new business channels. It’s a potent mix of supposed benefits, and 
yet strangely unachievable. True, we can now enjoy the convenience of 
logging onto multiple blogs and social networks with an unverified 
Twitter account, but higher risk services like banking, e-health and 
e-government have steadfastly resisted federation, maintaining their own 
identifiers and sovereign registration processes.

This paper shows that federated identity is really a radical and deeply 
problematic departure from the way we do routine business. Federation 
undoes and complicates long standing business arrangements, exposing 
customers and service providers alike to new risks that existing 
contracts are unable to deal with. Identity federations tend to overlook 
that identities are proxies for relationships we have in different 
contexts. Business relationships don’t easily “interoperate”. They can’t 
be arbitrarily tweaked to suit different contexts, because each 
relationship has evolved to fit a particular niche. While the term 
identity “ecosystem” is fashionable, genuine ecological thinking has 
been lacking in contemporary identity theory. The alternative presented 
here is to conserve business contexts and replicate existing trusted 
identities when we go from real world to digital, without massively 
re-engineering traditional business practices.

The password plague and ‘token necklace’ have elicited a sort of broad 
moral panic, yet they are essentially just human factors engineering 
problems. Traditional access control was devised for and by technicians; 
consumer authentication demands better user interfaces. The real problem 
lies not in identity issuance processes but rather in the way perfectly 
good identities once issued are taken ‘naked’ online where they’re 
vulnerable to takeover and counterfeiting. If we focussed on conserving 
context and replicating existing real world identities in non-replayable 
forms, most routine transactions could take place safely online, without 
the incalculable cost of re-engineering proven business arrangements.



Lockstep Group
Phone +61 (0)414 488 851
http://lockstep.com.au
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy. Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.
-----------------------------------------------------------------------
— Asian SESAMES Awards Finalist 2010
— Anthill Magazine ‘Smart 100’ (No. 25) 2009
— Finextra Innovation Showcase 2009
— Global Security Challenge Asia Top Five 2008
— Australian Technology Showcase 2008

More information about the Link mailing list