Tuesday, January 24, 2006

What does user-centric identity mean?

Granted that it makes for lovely slideware with a smiling face in the centre of appropriate clip art for banks, hospitals etc but I honestly don't know what it is.

Despite its popularity, I haven't come across a clear definition of what are the criteria to be met for an identity-system to be considered 'user-centric'. And yet, this doesn't stop people from characterizing those identity systems they don't favour as unable to meet these undefined criteria.

Perhaps user-centricity can be defined in the negative, i.e. determining the common characteristics of systems that don't have it.

So, which of the below are NOT user-centric?

  • URI-based system under sole control of user (i.e. personal server)
  • Liberty-based system with identity data hosted on the client and over which users have sole control
  • Infocard mediating interactions between PC-hosted identity provider (over which users have sole control) & network service provider

  • URI-based system with identity data hosted on user's behalf at network providers at which users are given mechanisms in order to specify policy over identity release
  • Liberty-based system with identity data hosted on user's behalf at network providers at which users are given mechanisms in order to specify policy over identity release
  • Infocard mediating interactions between service provider and network identity provider storing identity data on behalf of user and at which users are given mechanisms in order to specify policy over identity release
  • Shibboleth-based system with identity data hosted on user's behalf at network providers at which users are given mechanisms in order to specify policy over identity release
  • sxip-based system with identity data hosted at network providers at which users are given mechanisms in order to specify policy over identity release

  • URI-based enterprise system with identity data hosted on user's behalf at network providers at which users are not given mechanisms in order to specify policy over identity release
  • Liberty-based enterprise system with identity data hosted on user's behalf at network providers at which users are not given mechanisms in order to specify policy over identity release
  • Enterprise Infocard mediating interactions between service provider and network identity provider storing identity data on behalf of user and at which users are not given mechanisms in order to specify policy over identity release
  • Shibboleth-based system with identity data hosted on user's behalf at network providers at which users are not given mechanisms in order to specify policy over identity release
  • sxip-based enterprise system with identity data hosted at network providers at which users are not given mechanisms in order to specify policy over identity release
Other than the enterprise deployments above, where it can be argued that the user's control over their identity are scoped by their employment contract, I believe all of the above can be user-centric.

What I take out of this exercise is that the ultimate determinant of an identity-systems user-centricity is the degree of control the user has over the data that comprises their identity. And, as far as I can tell, all of the above systems can support such control, but none can guarantee it.

For instance, although Liberty's protocols have explicit support for carrying user consent decisions for the release of identity, and implementations of these protocols provide mechanisms for the user-administered definition of such policy, nothing forces a deployment to avail itself of either. Liberty's protocols could definitely be deployed in a non user-centric manner. As could any other identity system.

1 comment:

Rob said...

Hi Paul,

Great post. This is an increasingly important discussion the industry and the public need to have in an open forum. I have been researching digital identity and privacy for the past several years and have started to "compile" my thoughts into a clear vision for my latest startup, Falkin Systems LLC, an "incubated" company from The Cooper Union for the Advancement of Science and Art in NYC, where I also lecture graduate and undergraduate studies in electrical/computer engineering. Please find a recent post I put on my blog robmarano.blogspot.com
called "Names, Traits, and Trails." I have not updated it for a while since we are in "stealth" mode for our product, but I plan on blogging on our efforts in the SAEG... I'd look forward to "merging" our thoughts on digital identity and privacy, starting first with interoperability and ease of use for users to "control" their personal, sensitive information. Have a look at my excerpt below and pay attention to my clear distinction to static and dynamic identities and how privacy and control may pertain. The latter I am still working on....

I hope that this and future blog entries of mine help in our LAP initiatives. I have several interns at The Cooper Union that have been working with me on this very issue; I started the NY Digital Identity Meetup, having them lead some of the discussions. My "team" is ready, willing and able to assist and share our work...

Warmest regards,
/rob

--
Rob Marano
CTO, Falkin Systems (founding member of Liberty Alliance's Strong Authentication Experts Group)
robmarano@gmail.com
www.falkin.com
(I-Name) http://public.xdi.org/=Rob.Marano
***
** Get your I-Name at http://2idi.com/grs/index.php?referral_code=falkinsystems
***
++
++ The NY Digital Identity MeetUp Group http://digitalid.meetup.com/3
++
Jacob Bronowski - "The world can only be grasped by action, not by contemplation."



BEGIN SNIPPET.....
Solutions to the Digital Identity and Privacy Conundrum
by Rob Marano (http://public.xdi.org/=Rob.Marano)
(C) 2001-2006 by Rob Marano, All Rights Reserved

Part 1 - Introduction to Static and Dynamic Identities

Since I began researching digital identity and the concept of digital privacy in 1999, I have always envisioned a flexible authentication system to be at the heart of every point of interaction online and offline; between people, between people and business, between people and government, and between business and government. The explosive growth of the personal computer and the Internet and, subsequently, Internet culture and commerce, has not allowed society to transpose normal human behavior and practices to the new, all pervasive medium.


During my tenure at PricewaterhouseCoopers (PwC), I ended each conference presentation on emerging technologies with the statement, "With technology there is neither a replacement for a smile nor a frown." What I was getting across to the audience had more to do to help transform technology into a viable replacement for physical human interaction than it did to temper the use of technology. Processes within a business or through a value network require humans to interact with one another to make critical decisions for continued success. Since the first barter many millennia ago, good and continuing business has always included physical recognition, eye-to-eye communication and a bond to complete the transaction. Without recognition, the entire process would never proceed. Therefore, recognition of and the subsequent authenticity of the person with whom you conduct business or any type of valued transaction or interaction becomes the cornerstone of the relationship. It establishes trustworthiness between the participants, and trust is built on continued successful interaction for both parties.

Standing in front of a person fulfills the recognition process, otherwise known in IT terms as "authentication." It is a necessary but not always sufficient requirement for interaction. As the value of interaction rises, so too do the methods of recognition, which becomes both a physical (biometric) and a knowledge challenge/response test. Authentication answers the question, "Is this person truly who they claim to be?" Name, physical presence and traits, distinguishing physical features, e.g., clothes, shoes, eyeglasses, jewelry, etc, serve as cursory markers as proof of identity. Society considers these traits as sufficient in informal, casual interaction.

However, other forms of identity are required to conduct more formal, value-based transactions, such as, citizenship, commerce (buy/sell/invest), travel, entertainment, healthcare, and participation in government programs, for example. Value translates into money, social order, or safety and security of life. In order to standardize these forms of identity, governments, organizations, and businesses have issued their own identity cards, which simply connect a signature and photograph or a uniquely distinguishing identifier (bar code) to the organization's branded token, or card; for example, birth certificate, marriage certificate, credit and debit cards, drivers license, passport, loyalty card, stadium ticket, health insurance cards, and Social Security card, respectively. Such identity cards can be defined as static, since they do not change in appearance. New ones are issued based upon a change in status of the service guaranteed by the card issuer. Moreover, these static identity cards almost always have time value associated with it, giving an expiration date, since the user's unique distinguishing trait may change over time.

As an aside, citizenship by birth is a tough identity to prove with the lack of standardized birth certificates, which is due to the varying formats and policies of each hospital in each county in each state across the country. Moreover, marriage certificates are an important source of identity in several areas, financial records, property ownership, benefactor association, drivers license, and passports. For example, if a woman changes her name legally before using her older passport during international travel, national borders have been known to accept the marriage certificate as a proof of name change. Is there any way the border agent can verify and validate the authenticity of the marriage certificate, especially when there are no standards among the thousands of municipalities in the country? The US Congress is poised to pass the REAL-ID Act of 2005, which requires states to surrender their regulatory rights over driver's licenses and birth certificates with no mention of marriage certificates and excludes applicability to illegal aliens.

Returning the concept of static identities, it's important to stress that this type of identity is given to a person upon entering or joining a group, organization, business, or state privilege like driving or marriage. Information on the actual use of services, what and when people buy, what they listen, watch, eat, and where they go and how frequently forms the second type of identity, called dynamic identity. As taken from the Merriam-Webster entry for privacy, "Freedom from unauthorized intrusion" or access defines privacy of one's own critical, sensitive, and personal information. It is common for people to share their static identity markers with credit card companies, government agencies, insurance companies, etc, in return for service. However, it becomes an issue of privacy to guard any sensitive information that defines their dynamic identity. This will be addressed in detail in an upcoming installment on this blog, for privacy and identity are two strands that make up the DNA which defines a person - names, traits, and trails (of dynamic information). Both static and dynamic identities serve as access keys to any type of value for every individual. The value can either be represented as goods or as services, both of which are bought, sold, or bartered.

The next installment will focus on how modern IT systems can be transformed to ensure trustworthy identity transaction across business to business, business to government, business to consumer, and consumer to government. I'll begin to detail how these technologies will help solve the problems and reduce costs to fraud and insecurity, extend trust over the Internet between people, and help to establish and solidify trust across the spectrum of merchants, consumers, and financial service providers, helping to unleash the next generation of Internet-based commerce. It is important to note that a recent Gartner report states online banking and ecommerce has taken a slight dip due to fears of identity theft and credit fraud.

In the new Internet order, consumers will be able to transpose their purchased content across any device of their choosing, for example, from watching a movie on the bus on a mobile device/cell phone to then transpose the movie directly to their TV upon arriving at home, with ease. With technologies deliver and assure digital identity authentication, mobile service providers can assure Hollywood that piracy would be a thing of the past because every copy of digital content will be associated to a valid, paying consumer. Moreover, consumers will be assured that their critical, sensitive information cannot be used in any type of fraud against them, since the power to control how, when, why to use their information will rest with them..."

END SNIPPET....