Roger Clarke's Web-Site

 

© Xamax Consultancy Pty Ltd,  1995-2016


Roger Clarke's 'Authentication Model'

Authentication: A Sufficiently Rich Model to Enable e-Business

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Review Draft of 26 December 2001

© Xamax Consultancy Pty Ltd, 2001

This document is at http://www.rogerclarke.com/EC/AuthModel.html

The predecessor draft is at http://www.rogerclarke.com/EC/AuthModel011019.html


Abstract

Since the commercialisation of the Internet, it has been conventional to presume that e-commerce is dependent upon the parties to transactions being identified, and their identities authenticated. This paper examines the concepts of identification and authentication, and concludes that many of the conventional presumptions are misguided. It presents a model, definitions and several new terms, which it is argued lay the appropriate foundation for real progress in the e-business arena.


Contents


Preamble. Behaviour in Cyberspace

The terms 'identification' and 'authentication' are much-used in the context of e-business. This paper proposes that they are also much-misunderstood, and that the failure to grasp their real meaning and their import is seriously detrimental to the adoption of e-commerce, and of e-business more generally, including electronic services delivery and e-government.

Before embarking on the analysis, it is useful to provide a brief overview of the subject-matter that this paper addresses. This is done by means of Steiner's archetypal cartoon in the New Yorker magazine in 1993, which so captured the mood of that moment, at the dawn of the cyberspace era.

Several elements relevant to this paper can be discerned in the cartoon. They are:

If there is a moral to be found in the cartoon, it might be that, when you're using the Internet, you have only a limited amount of information available to you, and you need to be cautious about assumptions you make. In particular situations, there are various things that you might find worth authenticating before you place reliance on information, or take actions. Examples of such situations include where you provide your credit card details, utter confidences to your conversation-partner, open a file that someone has sent you, or pass on information you've received, such as investment tips, or virus warnings.

In such circumstances, you might be well-advised to collect some information about one or more of the following:

These various kinds of checking may be entirely independent from one another. In particular, knowing who your conversation-partner is is not a pre-condition for knowing the others. For example, if your bank confirms that the requisite funds have arrived in your account, you can carry out your part of the bargain with confidence, without knowing which person (or dog) you sold your goods or services to. Similarly, an on-line grief counsellor doesn't need to know the driver's licence number or commonly-used name of a client, provided that they're confident that it's the same 'Bill' or 'Susan' that they were talking to yesterday. And 'Bill' or 'Susan', while they may seek assurance about the counsellor's qualifications and undertakings of confidentiality, are not likely to seek (and are even less likely to be provided with) the counsellor's commonly-used name, home-address and home telephone number.


1. Introduction

The New Yorker cartoon charms us, because it encapsulates the above information (and probably much more) in a brisk and engaging way. The remainder of this paper adopts the much cooler, more analytical and necessarily lengthier manner necessary to establish a foundation for systems design. Where terms are used in specific ways, they are shown in the text in bold-faced type in the paragraph in which they are defined. The analysis is a further development on a number of prior publications, references to which are provided in the bibliography.

The analysis commences with the conventional ontological assumption that there is a real world of things, and an abstract world of information. The application of telecommunications-based tools to the business of corporations and government agencies, hereafter referred to as e-business, is dependent on relevant entities in the real world being modelled in databases.

Some of those entities are inert, such as warehouses, products, cartons of goods, documents and forms. Some are active, such as people and organisations. People are of especial interest. This is because:

The next section considers human identification. It is necessary to tease out the distinction between entities and identities. It becomes apparent that the language conventionally used is insufficiently rich to support the discussion, and some new terms are proposed. Building on this foundation, the subsequent section addresses the authentication of human entities and identities.

It is contended that e-business involves the authentication of many assertions that are primarily concerned with matters other than human entities and identities. A further section examines each of these in turn. Finally, the complete new model of authentication for e-business is summarised, and its implications outlined.


2. Human (Id)entification

This section commences by examining people and their identities. It then considers the data that is stored about them, including identifiers. The focus is then switched to human entities, and the means whereby they are distinguished from one another. New terminology is introduced. The section concludes with an overview of nyms, and a model of human (id)entification.


2.1 Human Entities and Identities

The term entity encompasses all manner of real-world things, including objects, animals, people, and 'legal persons' such as corporations, trusts, superannuation funds, and incorporated associations. An entity has a range of characteristics, features or attributes.

This paper's focus is initially on 'natural persons', including people performing social, economic and political functions as citizens, consumers, sole traders, and members of partnerships and unincorporated solutions; and people acting as agents both for other natural persons and for legal persons such as associations and corporations.

Contrary to the presumptions made in many information systems, an entity does not necessarily have a single identity, but may have many: an identity is a particular presentation of an entity.

It is common for different presentations to be associated with each role that an entity plays. People perform many roles, and most individuals are known by different names in different contexts. In some cases, the intention is dishonourable or criminal; but in most cases the adoption of multiple personae is neither, but rather reflects the diversity of contexts in which they act, including within their family, their workplace(s), their profession, community service and art. In common law countries, people are in no way precluded from using multiple identities or aliases. Actions that take advantage of multiple or situation-specific identities in order to cause harm or circumvent the law are, on the other hand, criminal offences.

During the analysis that follows, there will be many occasions on which reference is made to both entities and identities at the same time. The term (id)entity is proposed, in order to simplify the expression.


2.2 Personal Data, Identifiers, and the Identification Process

(Id)entities exist in the real world. They are imperfectly grasped by people, and vague images of them are acquired and held in the minds of individuals. Organisations adopt a more disciplined approach to information. They actively construct models of relevant (id)entities. They do this by capturing data into data structures within information systems. In particular:

Within an organisation's information systems, a real-world identity is operationalised as some sub-set of the data that describes it, which differentiates it from other, similar identities. For example, a car may be differentiated by its accessories, its paint-scheme, a particular pattern of dents and scratches, a particular grinding sound when changing gears, and its peculiar cornering characteristics.

More formally, an identifier is one or more data-items concerning an identity that are sufficient to distinguish it from other instances of its particular class, and that is used to signify that identity.

The identities of humans are signified in a variety of ways. An identifier that is used in many circumstances is the individual's name. Names are deeply rooted in history and culture, long, subject to variants, and not exclusive to an individual. Moreover, many people use names that differ from their name as it is stated on their birth certificates. Married women may use their maiden names for professional purposes and some people use their middle name instead of their first name. Alternative names are particularly common in certain professions, either to protect a person from potential danger, or as part of an artist's or writer's creative persona.

In most jurisdictions, especially common law jurisdictions, there are few legal compulsions relating to the use of a single name, and few legal constraints on the use of multiple names to manifest mutliple identities. The common law recognises that a name acquired 'by reputation' is a legally valid form of identification. People are, by and large, free to adopt a name as they see fit. There are advantages and disadvantages for a person in using the same name consistently over time, and a different set of advantages and disadvantages of using the same name across different roles.

The underlying principle in a free society is that citizens should be free to do as they please, and the state should only intervene to the extent necessary to prevent this freedom being exercised in a way that inhibits the freedom of others. A person can be mischievous with their identity/ies provided that they do not breach the criminal law or cause harm to someone in the terms of tort law.

An alternative to names is multi-attribute identification. This involves several items of data being used together to recognise the person. For example, 'the person who came to the enquiry counter was female, about 150 centimetres tall, in her 50s, and had her grand-daughter with her'.

In many populations, a person may be reliably identified by a combination of their name and date of birth, perhaps supplemented by some indicator of home-address. Organisations that maintain data about people need to devise processes firstly to discover all instances of identifiers on file that are very similar to the one being provided, and secondly to overcome the ambiguities and decide which of the alternatives is the correct one. An example of this approach is the so-called 'Phonex' technique, whereby homonyms (similar-sounding names) are treated as though they were identical. This ensures that surnames commencing with 'Mac' and 'Mc' are treated as being equivalent, as are 'Clarke' and 'Clark', and 'Byrne' and 'Burn'. The resolution of ambiguities can be undertaken by bringing the relevant information to the attention of a human being, and providing to that person such additional information as may be available; or by having a computer compare additional items.

Names and multi-attributive identifiers embody significant difficulties and uncertainties. It is advantageous for organisations to contrive identifiers for the people that they deal with that can be tested for precise equality with the data held on the organisation's files. Organisation-assigned codes have the advantage of providing a relatively short and invariant string of characters, in many cases restricted to numerics, but in some cases including letters and even special characters, especially to separate a long code into segments to enhance readability. For example, a motor vehicle is variously identified by a registration number, a chassis-number and an engine-number; and a human has many codes assigned to them by government agencies and companies that they deal with. Through the use of such codes, organisations can achieve reasonable levels of integrity of data and processes at relatively low cost.

Identification is the process whereby data is associated with a particular real-world identity. It is performed through the acquisition of data that constitutes an identifier for that identity. An organisation's purpose in undertaking an identification process is to establish that an identity presenting to it is either:

The process of identification is a search for the one among many data records that corresponds to the presenting identity.


2.3 'Entifiers' for Human Entities

The previous sub-section considered human identities. It is now necessary to consider the entities that underlie them, and how those entities are signified.

Despite the fact that this is fundamentally different from the signification of mere identities, discussions about identifiers seldom distinguish the two. A half-hearted attempt has been made by some writers through the use of the term 'positive identification' as a generic term for biometrics. Instead, this paper proposes terms that more directly signify the meaning they are intended to convey: 'entifier' to refer to the signifier for an entity, and 'entification' for the process whereby an entifier for an entity is acquired.

An entifier for a human must of necessity be some more or less formal biometric. The less formal kind comprises visual entifiers, i.e. some aspect of the person's physical appearance such as facial shape combined with the colour of hair and eyes, and quite possibly supplemented by dynamic patterns such as physical mannerisms and social behaviour.

The more formal kind comprises biometric entifiers, which are measures of some aspect of a person or their behaviour. These are of several kinds:

Biometrics are generally expensive, and inconvenient to the person concerned, and demeaning to them. They also present a difficulty in that they are collected as measures rather than as fixed values. As a result, a person will seldom if ever provide a biometric that is identical to that which is already recorded. Entification involves a search for the (or a) fit between a new measure and one of many reference measures previously recorded for many people. Biometrics, by their very nature, involve variations, and tolerance margins.

Beyond their intrusiveness, biometrics have highly significant public policy implications. This is because they provide organisations and governments with power over individuals and populations, and hence threaten personal and societal freedoms, and democracy.

The term (id)entity was proposed earlier, for use wherever a statement encompasses both entities and identities. By extension, the terms '(id)entifier' and '(id)entification' are also used in the remainder of this analysis.


2.4 'Nyms'

The presumption is often made that transactions and relationships should generally be (id)entified. This section tests that presumption and investigates the alternative approaches of anonymity and pseudonymity. It culminates in a discussion of the pseudo-identifiers used in such circumstances.


(a) The Justifications for Compulsory (Id)entification

There are many circumstances in which transactions are conducted between individuals and organisations without any (id)entifying data being made available by the person concerned. Examples include telephone and counter enquiries by members of the public, the collection of brochures from stands, and (with qualifications) visits to web-sites. Such interactions are often two-sided anonymous, in that the anonymous member of the public is aware of the (id)entity of the agency they are dealing with, but not of the (id)entity of the individual employee or contractor with whom they are communicating.

There is a variety of circumstances in which one party does have a need for the (id)entity of the other. This is because some categories of transactions are difficult to conduct on an anonymous basis, without one or perhaps both of the parties being known to the other. It is a tenable argument that (id)entification is functionally necessary in the circumstances such as the following:

More generally, circumstances in which (id)entification may matter are the following:

Even in some of these circumstances, however, designs, prototypes and even operational schemes exist, that enable protection of the parties' interests without disclosure of the other party's (id)entity. An example is credit-card schemes, which are entirely feasible without direct (id)entification of the card-owner.


(b) Anonymity

An anonymous record or transaction is one in which no (id)entity is associated with the data. There is a vast range of transactions for which (id)entification is not a logical prerequisite. These include:

People desire anonymity for a variety of reasons. Some of these are of dubious social value, such as avoiding detection of their whereabouts in order to escape responsibilities such as paying debts and supporting the children of a broken marriage; avoiding retribution for financial fraud; and obscuring the flow of funds arising from illegal activities such as theft, drug-trading and extortion (commonly referred to as 'money-laundering').

Other reasons for seeking anonymity are of arguably significant social value. Examples include:

It is often blithely assumed that the interests of parties to a transaction cannot be protected if the transaction is conducted anonymously. This assumption is sometimes correct, but not always so. In many situations anonymous transactions are perfectly permissible, as long as they do not hurt anyone in a way that falls within the sphere of criminal fraud or negligent misrepresentation, or are specifically prohibited by legislation. For example, virtually all cash transactions are anonymous, whether by accident or by design. Anonymity remains one of the most effective responses to the burgeoning threats to personal privacy.

The concern is frequently expressed that anonymity compromises accountability, in that it undermines society's ability to impose sanctions on criminals and miscreants, and therefore reduces the extent to which fear of retribution curbs disapproved behaviour. Nonetheless, anonymity is a natural state, and may well remain so, despite the ravages that have been wrought by technologies, particularly during the last few decades. Moreover, in the context of e-business, a substantial industry is emerging, whose purpose is to enable and assure the ability to communicate and act in cyberspace without an identifier, still less an entifier, being associated with the resulting data.


(c) Pseudonymity

Between the two extremes of (id)entified and anonymous transactions is the concept of a pseudonymous transaction. A pseudonymous record or transaction is one that cannot, in the normal course of events, be associated with a particular (id)entity. In most cases, this is achieved through the use of some form of pseudo-identifier. A transaction is pseudonymous in relation to a particular party if the transaction data contains no direct (id)entifier for that party, and can only be related to them in the event that a very specific piece of additional data is associated with it. The data may, however, be indirectly associated with the party, if particular procedures are followed, e.g. the issuing of a search warrant or other form of court order, authorising override of the protections.

The simplest way to implement a pseudonymous scheme is to maintain an index that correlates the pseudo-identifier with an (id)entifer. The concept, usefully referred to as 'identity escrow', involves these elements:

The trusted third party must maintain a cross-index between the pseudo-identifier and the real (id)entifier. It must apply appropriate technical and organisational security measures, and divulge the link only in circumstances specified under legal authority, such as contract, legislation, search warrant or court order.

Many such mechanisms already exist, in a variety of settings. Examples include the following:

The first of the above examples, banking secrecy, has been significantly reduced in recent years, because of the extent to which it has been used to hide the proceeds of crime. It would be a mistake, however, to assume that this demonstrates that pseudonymous banking is unjustifiable. The original intention of Swiss banking secrecy was the protection of Jews who broke German law in the 1930s by depositing value in Swiss banks. During the second half of the twentieth century, the technique was applied to less worthy purposes, without any adjustment to the checks and balances within the system. The need is for both (id)entity-protection methods, and the means to override the protections when the public interest demands it.


(d) Nyms

Identified transactions use an (id)entifier for the person concerned. A word is needed for the equivalent concept where the transaction is anonymous or pseudonymous.

That the concept is mainstream is evidenced by the wide range of terms that are available to choose from. They include aka (short for 'also-known-as'), alias, avatar, handle, nickname, nick, nom de guerre, nom de plume, moniker, persona, personality, profile, pseudonym, pseudo-identifier, sobriquet, and stage-name. The author coined the term 'digital persona' in 1994 to refer to "a model of an individual's public personality, based on data, maintained by transactions, and intended for use as a proxy for the individual". At about the same time, the term 'e-pers' (an abbreviation of electronic persona) was suggested. These terms almost all have particular usages and connotations, and they evidence somewhat different meanings. The term 'nym' appears to be gaining currency, and has the advantages of being derived from a relevant Greek root, and carrying little semantic baggage with it.

A 'nym' is one or more data-items relating to an (id)entity that are sufficient to distinguish it from other instances of its particular class, but without enabling association with a specific (id)entity. For example, an email-address such as hotdoggity@hotmail.com, enables an organisation to conduct not just one transaction, but also multiple transactions over a series of episodes, and even enables the individual and the organisation to establish a relationship, without the organisation knowing who the person is that is using that nym.

Most commonly, there is a 1-to-n relationship between a person and nyms, i.e. each person uses zero, one or more nyms, and no-one else uses those nyms. Other arrangements are also possible. however. A nym could be used on a 1-to-1 basis, i.e. precisely one person could use that nym, and no other nym. More commonly, nyms are used on an n-to-1 basis, i.e. many people use the same nym. An example of such a usage is within organisations where a common email account is used for a particular function, such as webmaster@<organisation>.org.<cc>, sales@<corporation>.com.<cc>, and enquiries@<agency>.gov.<cc>.

Nyms are much-used by corporations and government agencies. Organisations use them to differentiate business enterprises operated by the same legal entity, and to project particular images to their prospective customers. Employees of organisations use them to avoid disclosing their commonly-used personal identities.

Among the general public, nyms are used by criminals. They are also used by many other, much more interesting people, and are an important part of the rich fabric of human culture. A common application of pseudonymity is to reflect the various roles that people play. For example, on any one day, a person may act as their private selves, as an employee of an organisation, as an officer of a professional association, and as an officer of a community organisation. In addition, a person may have multiple organisational roles (e.g. substantive position, acting position, various roles on projects and cross-organisational committees, bank signatory, first-aid officer and fire warden), and multiple personal roles (e.g. parent, child and spouse; scoutmaster, sporting team-coach and participant in professional and community committees; writer of letters-to-the-newspaper-editor and participant in newsgroups, e-lists and chat-channels; chess-player, on-line game-player, and user of on-line gaming services).

A common application of nyms is where a person establishes multiple relationships with the same organisation, with a separate nym for each relationship. This may be to reflect the various roles the person plays when it interacts with that organisation (e.g. contractor, beneficiary, share-holder, customer, lobbyist, debtor, creditor). For example, in many jurisdictions an employee of a driver-licensing registry who themselves holds a driver's licence has a licence-number different from their employee-number.

A further function of a nym is to put at rest the minds of people who are highly nervous about the power of organisations to bring pressure to bear on them. Examples of relationships for which nymity is critical include the treatment of socially sensitive conditions such as sexually-transmitted diseases and substance-dependence, 'whistle-blowing', police informers, and national security operatives. Consumers use them to avoid the consolidation of a profile by marketers, and to avoid the correlation by government agencies between enquiries that they make to an agency, and that agency's holdings of personal data about them.

One-time nyms are of limited use. For example, a person can make up a name when they call an enquiry service; but if they call again and want to continue the conversation with the enquiry service where they left off, then they will be unable to do so without using the same made-up name. This is because the organisation is unable to recover the previous data from its database unless an (id)entifier is available.

There are therefore some additional features that nyms need to have if they are to support transactions of any complexity, or long-term relationships. These include:

An increasing array of technologies exist that enable nyms. In the contemporary contexts of highly data-intensive relationships, and Internet-mediated communications, pseudonymity and multiple nyms are especially important measures to encourage the adoption of all forms of e-business.


2.5 A Model of Human (Id)entities

In order to make effective decisions within the domain of e-business, a sufficiently rich framework or meta-model is essential. Exhibit 1 depicts key elements of the analysis that was presented in this section.

Some key aspects of the model that differentiate it from the conventional wisdom are that:


3. Human (Id)entity Authentication

The preceding section presented a model of human (id)entities. This section considers ways in which assertions about them may be authenticated. It firstly addresses the authentication of assertions of human identity, and then of human entity. Secondly, it considers the quality of (id)entity and of (id)entification processes. A final sub-section is concerned with the implications that quality factors have for the parties to e-business transactions.


3.1 Human Identity Authentication

The term identity authentication refers to the process whereby an organisation establishes its degree of confidence in an assertion that a party is who they purport to be. More laboriously expressed, it is a process designed to cross-check against additional evidence the identity signified by the identifier acquired during the identification process. An item of evidence is usefully referred to as an 'authenticator' or a 'credential'.

Authentication is expensive, and hence the degree of effort invested needs to reflect the likelihood or accidental and intentional error, and of the harm that would arise if error occurred. One approach is to gather additional identifiers, i.e. two or more of the categories of identifier described above, comprising names, multi-attribute identifiers, and codes. Alternatively, a level of assurance can be established by requiring that a person demonstrate that they have some knowledge that only that person could be expected to be able to provide. In consumer and citizen counter and telephone services, for example, the person may be asked for their birthdate, their mother's or wife's maiden name, a password, or a 'personal identification number' (PIN).

Another approach is to provide the person with a token, which is some 'thing' that the person is expected to present as evidence that they are the person concerned. Token-based schemes are very effective in tightly controlled environments, as a variant on the 'turnaround document' approach: the person first presents at a counter, then must wait in a large, anonymous area prior to visiting the counter a second time. If an identifier is issued on the first occasion, and interchange or theft of the identifier is evidence of identity within that limited context.

Another common form of token is a card issued by an organisation. Such cards are generally provided on the basis of documentary evidence of identity presented by the person. Examples of such documents include birth certificates, marriage certificates, passports, drivers' licences (and, in some jurisdictions, non-drivers' 'licences'), employer-issued building security cards, credit cards, club membership cards, statutory declarations, affidavits, letters of introduction, and invoices from utilities. In the electronic arena, a form of token that might be used for identity authentication is a digital signature consistent with the public key attested to by a digital certificate.

Difficulties arise with all forms of evidence of identity. Apart from the costs and inconveniences involved, documentary evidence is fundamentally unreliable. Ultimately, all documents depend on some seed document, most commonly a birth certificate; and such documents do not embody any reliable association with an identity.

Reflecting the high degree of unreliability of each of the approaches to human identity authentication, organisations that have a need for relatively high levels of confidence commonly require one or more tokens, supplemented by knowledge-based tests. This is frequently highly inconvenient for people, often demeaning, and in many cases impractical. Corporations and government agencies often use their power over individuals to achieve compliance, rather than seeking consensus among stakeholders about the appropriate balance between social control and personal freedoms.


3.2 Human Entity Authentication

The term entity authentication refers to the process whereby an organisation establishes its degree of confidence in an assertion that a party is a specific instance of the species homo sapiens.

The entification of a human entity depends on the gathering of an entifier of the person, i.e. a biometric. The authentication process involves a cross-check of the entifier against a reference measure. Authentication measures include:

Such processes are expensive, inconvenient, intrusive, and threatening. Unlike entification, however, they involve a 1-to-1 comparison between a new measure and a single previously-recorded measure. Biometric authentication is therefore capable of being designed so as to achieve balance among multiple interests, at least in principle (although seldom to date in practice).


3.3 The Quality of (Id)entifiers

The nature of identification and entification processes is such that authentication is never perfect, but rather is more or less reliable. This and the following sub-section consider key factors relevant to the quality of those processes.

There are many desirable characteristics of an (id)entifier if it is to provide the basis for a reliable (id)entification scheme. These include:

These characteristics may well suit organisations very well, but they are in many cases inconvenient from the standpoint of an individual whose (id)entifier is being acquired and authenticated, and in some circumstances objectionable, and even downright obnoxious. The problem is at its most acute where the criteria are applied to entifiers, and hence to individuals' own bodies. A serious tension exists between the needs of organisations and the interests of individuals. Systems designers commonly place far more weight on the interests of powerful organisations than on those of poorly organised consumers and citizens.


3.4 The Quality of (Id)entification

A range of risk factors impinge on quality. Of especial importance is the need to achieve an appropriate balance between the harm arising from:

Sources of poor quality include the following:

Where quality shortfalls occur, additional considerations come into play, including the following:

An approach very commonly used in the context of e-business is a string of characters (a loginid) as identifier, and an additional string of characters (a password) as a means of using the person's knowledge as an authenticator. Many risks exist, which are partially addressed through such technical measures as channel encryption (in particular SSL/TLS), Kerberos, and one-time password schemes. A further approach is e-tokens that use public key cryptography. This is fraught with problems, and is addressed in a companion paper.

The level of assurance of an authentication mechanism depends on the extent of protections against abuse, and hence on whether it can be effectively repudiated by the entity concerned. It is useful to distinguish the following levels of authentication:

Where an authentication process results in a very high degree of confidence in an assertion, the term 'verification' may be appropriate. In most circumstances, however, achieving strong authentication is very difficult and/or very expensive and/or highly intrusive. Where the process results in less than strong authentication, the degree of confidence that can be attained is too low to justify such a strong expression as verification. Strong authentication is associated with the concept of 'absolute trust', which has currency in some military and national security applications. Business enterprises and most government agencies generally adopt 'risk management' approaches, which rely on lower levels of assurance, but are cheaper, more practical, easier to implement and use, and less privacy-invasive.


3.5 Consequences, Cost-Effectiveness and Trade-Off

Some individuals are unable to provide the identifiers, entifiers or authenticators that organisations demand from them. For example, some people have an awkward name, no documents, a poor memory, no thumb, or provide biometrics that are statistical outliers and frequently result in false negatives. These people suffer the consequences, such as repeated delays in their dealings with organisations, suspicion at checkpoints, exclusion from premises that they rightfully should have access to, and wrongful detention.

A more general consideration is the extent to which organisations exercise power over individuals by imposing technology on them, and signify their power through repetitively forcing people to submit. Public resentment and suspicion result in the active use of countermeasures of various kinds, not only by miscreants and criminals, but also by the general public. This reduces the effectiveness of the schemes employed.

High-reliability authentication processes are generally very costly, in terms of monetary value, time, convenience and intrusiveness. Many factors need to be considered in addition to the degree of confidence that the (id)entifier and the (id)entification and authentication processes are capable of generating. These include the practicality, the cost (not only in direct financial terms, but also in the time of both the organisation's employees and affected individuals), and the extent to which the technique and process are acceptable to the public, and to people with particular cultural interests, including those of specific language groups, religions and denominations, aboriginal groups, and itinerants.

Organisations therefore generally implement an approach that represents a trade-off between quality and the many other factors relevant in their particular context. The particular evidence used in authentication varies a great deal depending on the purpose of the transaction, and the context in which it is being undertaken.


4. The Authentication of Other Assertions Relevant to e-Business

Authentication is the process whereby a degree of confidence in an assertion is established. Since the advent of e-commerce, there has been a tendency for the term 'authentication' to be used in an unqualified manner but to refer specifically to authentication of an assertion that a person presenting to an organisation has a specified (id)entity. This is only one kind of authentication. It is contended that:

In addition to humans, there are two further classes of things the authentication of whose (id)entities is important in e-business:

Moreover, there are many circumstances in which a message-recipient may not be able to readily discern whether an (id)entifier belongs to a human, an organisation or an artefact. For example, an email-address (leaving aside the question of its authenticity), may be as readily machine-generated as human-generated.

There are also assertions relevant to e-business for which (id)entity, whether of a human, an organisation or an artefact, is not the primary concern. These other categories of assertion relate to:

Authentication of these six additional and important broad categories of assertion is discussed in the following sub-sections.


4.1 Artefact (Id)entity Authentication

The term 'artefact' is used here to include devices such as workstations, smart cards and robots, and software agents that exhibit more or less intelligent behaviour.

There are many circumstances in which it is appropriate to check the likelihood that the origin of a message is as it appears to be, or is asserted to be. Relevant entifiers include fixed network addresses, processor-ids, and network interface card (NIC) ids.

Identifiers, which signify identities rather than entities, include process-ids such as ports and web-server ids, web-page URLs, and email-addresses. An IP-address is an identifier, not an entifier, because in itself it says nothing about which artefact was using the IP-address at the time.


4.2 Organisational (Id)entity Authentication

By 'organisation' is meant here an entity created in order to combine the efforts and resources of multiple parties, to share risk among them, and to enable groups of parties to sue and be sued. The law underlines the substantial difference between organisations and people by describing them as 'legal persons'. Successive sub-sections consider the nature of organisations, the multiplicity of (id)entities that many organisations utilise, the (id)entifiers that signify them, and the difficulties encountered in authenticating assertions about them.


(a) The Nature and Diversity of Organisational Entities

One kind of legal person is referred to in British-derived law as a 'body politic'. This is a sovereign nation-state, or a component of a nation-state, such as a province. In many countries, most of the individual government agencies that perform the business of a body politic have no existence in law. A legal action by, or against, such government agencies is accordingly an action by, or against, the body politic as a whole.

The second category of legal person is referred to in British-derived law as a 'body corporate', and arises through an act of 'incorporation'. The primary example is the joint stock corporation / societé anonyme (SA) / Gesellschaft mit beschränkter Haftung (GmbH) / Aktiengesellschaft (AG), the liability of whose shareholders is limited by law. Other examples include incorporated associations, co-operatives, strata title and community title bodies corporate, and corporations created under specific statutes. In some countries, some kinds of bodies corporate may come into existence under the common law, e.g. trusts.

A great deal of business is conducted by unincorporated enterprises, including sole traders, partnerships, joint ventures, executors, liquidators, trustees, unincorporated clubs and associations, community progress committees and cultural event committees. Unless incorporated under law, such enterprises have no existence for the purposes of, for example, contract, and no ability to sue or be sued. The parties that are deemed in law to make up the enterprise are jointly and severally liable for its acts (i.e. any one or more of them can be sued). Those parties are in many cases people, but can also be bodies corporate or even bodies politic.


(b) The Multiple Identities of Organisations

Most organisations play many different roles, and have many different kinds of relationship with many kinds of other organisations. Examples of these relationships include seller and buyer, supplier and receiver, debtor and creditor, payer and payee, principal and agent, franchisor and franchisee, lessor and lessee, copyright licensor and licensee, employer and employee, contractor and contractee, trustee and beneficiary, tax-assessor and tax-assessee, business licensor and licensee, plaintiff and respondent, investigator and investigatee, and prosecutor and defendant.

To reflect the varied roles that it plays, a body corporate may have many business units, divisions, branches, trading-names, trademarks and brandnames. Similarly, bodies politic, and even individual government agencies, perform multiple roles, and may present many faces to people and to other organisations.


(c) The (Id)entifiers of Organisations

In all cases of legal persons, there is no corporeal entity. It is therefore arguable that no data can be created that enables entification at the quality level corresponding to a biometric for a human.

Identifiers to signify organisations' various identities are also problematical. In most jurisdictions, corporate names are the subject of regulation, and the sequence of letters that they are required to use is likely to be invariant (although they may in practice vary the spelling, and especially the punctuation and styling). The trading names used by unincorporated business enterprises tend to be subject to less stringent and only lightly-enforced regulation. Coding schemes exist in some countries, providing a code for each legal entity, although for unincorporated enterprises such schemes are often more haphazard. Business units within corporations, business names and brands generally do not have separate registration codes from the company of which they are a part.

Government agencies are often even less reliable in their use of (id)entifiers. In many jurisdictions there exists no registration-code, no reliable register of agency-names, and even no coherent and controlled process by which they are created, their names are changed, and they are dis-established.


(d) The Authentication of Organisational (Id)entity

Many circumstances arise in which a message-recipient wants to authenticate an assertion that the message was originated by a particular organisational (id)entity. In conventional business, a variety of techniques is used. Common approaches include the expectation that communications from a business enterprise will be on authentic(-looking) letterhead, and call-back to a telephone number acquired from some other source.

The nominally highest-quality authentication of a corporation's (id)entity and actions has been where the company's seal has been affixed to a document, and over-signed by authorised officers. This is actually of very low quality, because both the seal and the signatures are easy to spoof, and very difficult to check. With the emergence of e-commerce during the last quarter-century, the requirements for use of a company seal are in the process of being rescinded (and the requisite amendments have already been made to, for example, the Australian corporations law).

A further serious difficulty arises from the fact that organisations are incorporeal. They have no means whereby they can perform actions that affect the real world, and hence, when there is a wish that they, for example, enter into contracts, place orders, receive deliveries, instigate payments, accept orders, and initiate deliveries, they can only do so through humans performing those acts on their behalf.

The authentication of an organisation's (id)entity is directly affected by this limitation. Authentication can only be performed by checking the assertions of actors that are capable of acting in the real world, which generally means people. The fact that a person has proferred the (id)entifier of a particular body politic or body corporate is insufficient, because somehow a check also needs to be performed that the person has the right and power to provide that (id)entifier.

It has often been claimed that electronic signatures in general, and digital signatures in particular, offer the prospect of higher levels of confidence. But in addition to the security measures needed in respect of the person's digital signature keys, further measures are needed, in order to reduce the likelihood of error or fraud through the misapplication of the organisation's powers.

This fundamental challenge to the authentication of assertions relating to organisational (id)entity affects dealings in the physical world as much as it does electronic transactions. This is further considered in section 4.4 below.


4.3 Attribute Authentication

Another approach is the authentication of attributes. This is a process whereby information about a party is checked, such as whether a person is within an age-range appropriate to some category of transaction, is a member of a particular association, or has a particular educational or other qualification. It is not the (id)entity that is in focus, but rather something about that (id)entity.

Attribute authentication generally involves the inspection of some kind of credential that attests to that (id)entity possessing that attribute. Many circumstances exist in which the credential identifies the person. This is not actually necessary, however. All that is needed is some means whereby the credential is reliably associated with the (id)entity presenting the credential. For example, a series of challenges for information can be sufficient to establish that a person qualifies for entry to secure premises, without even knowing their (id)entity let alone authenticating it.

Moreover, even where the process of attribute authentication involves the provision of an (id)entifier, there may be no need to record anything more than the fact that authentication was performed. In this way, the transaction ceases to be identified. An example of this is the inspection of so-called 'photo-id', without recording the (id)entifier displayed on the card.


4.4 Agency Authentication

A special case of attribute authentication, and one highly relevant to e-business, is the authentication of an assertion that an entity has the legal capacity to formally represent another entity, and to bind them in contract. The representative is referred to as an agent, and the party being represented is called the principal.

Agents may be appointed to act on behalf of people, or of organisations. It is common to evidence the relationship by means of a document generally referred to as a power of attorney. Organisations are legal fictions that have served advanced economies very well, and continue to do so. They cannot, however, act directly on the real world, and hence some natural person must do things on their behalf.

In many cases, there is a chain of agency relationships, passing through multiple organisations and individuals. An example is an employee of a customs agency, which is acting on behalf of another customs agency that operates in a location overseas, which in turn acts for an exporter. A chain of three principal-agent relationships among bodies corporate culminates in a principal-agent relationship between the last company and its employee. In principle, the authentication of an agent requires inspection and testing of the evidence for the complete series of delegations. In practice, such inspections and testing are very rarely performed, and in most cases they would be impractical anyway. Society runs on a great deal of trust.

To date, agents have always been human. There is an increasing number of examples of acts delegated to artificial intelligences, however, through such means as automated telephone, fax and email response; automated re-ordering; program trading; and other forms of software agent. Legislatures and courts may be becoming willing to accept these acts as being binding on the entity concerned, at least under some circumstances.

In many cases, messages communicate the (id)entities of the agent and the principal. Circumstances arise, on the other hand, in which either or both of the agent and the principal may use a nym. In addition, the fact that it is a nym may or may not be disclosed. For example, it is reasonably common for principals to use anonymity or pseudonymity when selling works of art and moderately-sized shareholdings. Hence authentication of principal-agent relationships needs to make allowance for agency with and without (id)entity.

The (id)entification and authentication schemes operated by business enterprises must be sufficiently sophisticated to distinguish between the acts and (id)entities of principals, of intermediate agents, and of ultimate agents. Care is needed to ensure not only that the relationship between principal and agent exists at the relevant time, but also that it actually encompasses the kind of transaction being conducted, and does not exceed any limitations on the agent's power to act on behalf of, and bind, the principal. A further complication is that an agent may act for multiple principals, and a principal may be represented by multiple agents. This results in multiple credentials, and scope for conflicts of interest to arise that need to be managed.

Analogous arrangements have been envisaged for the electronic context, applying cryptographic techniques. One approach that might be used is to authenticate the (id)entity of the individual and/or body corporate (as discussed in the preceding sub-sections), and then check some kind of register of (id)entities authorised to act on behalf of the relevant body. The register might even be implemented in distributed fashion, by setting an indicator within the person's own digital signature chip-card.

Another approach is direct authentication of an authorisation. For example, a body corporate's private key could be used to digitally sign a particular kind of instrument, which a recipient could confirm (using the body corporate's widely available public key). This would be a more direct mechanism, and would avoid unnecessary declaration and authentication of the (id)entity of the agent. It would, on the other hand, involve risk of appropriation or theft of what amounts to a bearer instrument.


4.5 Location Authentication

A second important special case of attribute authentication is location authentication. The assertion is of the form 'the (id)entity that originated this message did so from, or in respect of, a particular location, within some tolerance range'. This might involve location and tracking technologies such as the triangulation of cell-phone signals or the use of global positioning systems (GPS).

Location authentication has application in a variety of contexts, including:

As is the case with all attributes, mechanisms are needed that support location authentication with and without (id)entity.


4.6 Value Authentication

There are many circumstances in which organisations seek assurance that the consideration offered by a party delivers the value it purports to. In most cases, 'value' is best understood in terms of fungibility or convertibility to cash; but value may also be represented by vouchers such as certificates and tickets; and value can be imputed by the recipient of goods, services or information.

Examples of value authentication include the checking of a banknote for forgery-resistant features like metal wires or holograms, and the seeking of pre-authorisation of credit-card payments. In the electronic context, they include messages stating that funds have been transferred from the sender's account to an account nominated by the receiver; and messages that contain the electronic equivalent of a coin of a particular value in a particular currency.

In a great deal of conventional commerce, value authentication without identity is a primary means whereby trust is achieved. In e-commerce, however, an aberration has arisen: in its few short years to date, the sole practical payment mechanism has been through the transmission of credit card details, which carry an identifier of the cardholder. Payment mechanisms that do not have an identifier associated with them have been conceived, designed, prototyped, implemented, and trialled, but have not yet been widely adopted. The deployment of value authentication without disclosure of identity represents a real opportunity to unlock the potential of e-commerce.


5. A Model of Authentication for e-Business

This section recapitulates the model developed in the preceding sections, in order to provide a succinct statement of the new model of authentication for e-business.

Authentication is the process whereby a degree of confidence in an assertion is established. Conventional usage of the term 'authentication' is deficient because it conflates several forms of assertion that should be distinguished. The following kinds of assertions are relevant to e-business;

The term 'entity' encompasses all manner of real-world things, including objects, animals, people, and 'legal persons' such as corporations, trusts, superannuation funds, and incorporated associations. A data-item or data-items used in an information system to distinguish one instance of an entity from other similar instances is often referred to as an 'identifier'. This is not sensible, because it confuses the concepts of 'entity' and 'identity'. The term 'entifier' is proposed, to refer to data used as a signifier of an entity. For humans, this would be likely to be a biometric.

An entity does not necessarily present using an entifier. It may perform many roles, and the relationship of each of these roles back to the particular entity may or may not be apparent. The term 'identity' refers to a particular presentation of an entity. An 'identifier' is data concerning an identity, that is sufficient to distinguish it from other instances of its particular class, and that is used as a signifier for it.

The terms '(id)entity', '(id)entifier' and '(id)entification' are used where both entities and identities are being referred to at the same time. There are many circumstances in which a message-recipient may not be able to readily discern whether an (id)entifier belongs to a human, an organisation or an artefact. For example, an email-address (leaving aside the question of its authenticity), may be as readily machine-generated as human-generated.

A further, very important notion is that of an identifier where the entity underlying the identity is not known, i.e. the user of that identifier either cannot be established (anonymity), or could be but has not been (pseudonymity). This notion is most usefully referred to as a 'nym'. The concept 'nym' is a special case of the concept 'identifier'. In general, statements in this paper that use the term (id)entifier also encompass nyms.

Many assertions relate to something about an (id)entity. In some contexts it is important to know the (id)entifier of the (id)entity that the assertion relates to; but in many other contexts this information is of secondary or no importance. Such assertions are of the form 'the (id)entity that originated this message has a particular attribute'. For example, the person issued with that loginid is a registered medical practitioner, or the person requesting that web-page is over the age of 18.

Two cases of attribute authentication are sufficiently important to e-business to warrant special treatment. The first of these is agency authentication. In this case, the assertion is of the form 'the (id)entity that originated this message is an agent for another (id)entity'. For example, the person issued with a particular loginid has power of attorney over the affairs of a specific person; or that person is entitled to issue purchase orders on behalf of a particular corporation up to a particular value.

Frequently, chains of principal-agency relationships exist. Commonly, an individual will represent an organisation that in turn represents another organisation, e.g. an employee of a customs agency that is acting on behalf of an importer. The authentication of an agent requires inspection and testing of the evidence for the complete series of delegations. In conventional business practice, such inspections and testing are seldom performed, and in most cases they would be impracticable anyway. Society and business have always depended on a great deal of trust. Contrary to the frequently expressed opinions to the contrary, and despite the increased risks inherent in cyberspace, it appears likely that e-business will as well.

A second important special case of attribute authentication is location authentication. The assertion is of the form 'the (id)entity that originated this message did so from, or in respect of, a particular location, within some tolerance range'.

Finally, there are many e-business contexts in which an assertion is made that relates to the value being conveyed by the message, and where the (id)entity associated with the payment is of secondary or no importance. Value authentication is needed for assertions of the form 'the contents of this message have a particular value to the recipient'.

The above analysis results in a model of authentication for e-business that distinguishes 15 kinds of assertions:


6. Implications

This document has presented a model of identification and authentication. It has argued that the design of e-business services have been founded on an excessively simplistic understanding of the concepts, and that these inadequacies have been significant factors in the lack of public trust in all forms of e-business and in the resultant low adoption rates. Progress will only be possible if attention is paid to the subtleties.

A first important requirement is that the distinction needs to be appreciated between identities and entities, and hence between the signifiers of each, and the processes whereby signifiers are acquired.

Processes to acquire signifiers of human entities, dependent as they are on biometrics, are gross intrusions on individuals. Moreover, the risk of biometric masquerade, and hence identity theft, is very high in the e-business context. Biometric measures of humans should therefore only be imposed in circumstances in which their use is clearly justified, alternative measures have been expressly considered and found wanting, and effective protections against escape of the biometrics have been built in.

The proposition that identity must be disclosed and authenticated in order to engender trust in cyberspace is a dangerous illusion. It is in fact a significant factor in distrust. The authentication of a range of assertions that have little or nothing to do with identity creates opportunities to overcome the impediments and achieve much more rapid take-up of Internet commerce.

One important contribution would be the deployment of anonymous payment mechanisms, particularly Chaumian eCash. This is especially promising, because it is payer-anonymous, but payee-traceable (and hence denies the payee the ability to deny the receipt of, for example, taxable income). An additional challenge of especial importance is the development of techniques for the authentication of attributes without the disclosure of (id)entity.

Anonymity, while not entirely precluding accountability, certainly compromises it. Pseudonymity offers a way to achieve balance between privacy and accountability. Progress in this area depends, however, on recognition of the need, credible legal protections, and the development and deployment of technologies to support it.

The enormous challenges involved in authenticating assertions of organisational (id)entity must no longer be overlooked, but must instead be confronted. This places a great deal of emphasis on attribute credentials, and on chaining them. This is vital to the stimulation of open B2B e-commerce among large numbers of business enterprises that are little-known to one another.

If the authentication of organisational (id)entities and the attributes of their agents proves too difficult to deliver, an alternative may be to reduce the ambitioun of electronic authentication, for the time being at least. Public key technologies can be more reliably implemented when the assertions that they are devised to authenticate relate only to artefact (id)entity. It may be that organisations and individuals may need to pre-register the particular device or software agent that they intend using for a particular transaction, enabling a qualified level of trust to be engendered in the device that is being communicated with.

These requirements underline the inadequacies of conventional designs for public key infrastructure (PKI), and imply the need to re-think and re-engineer PKI from the ground up, removing the fixities, overcoming the limitations, abandoning the flawed concept of certification authorities, and substituting risk management approaches for the myth of CA-based assurance. The new model of authentication developed in this paper is applied to PKI in a companion paper, Clarke (2001d).


Bibliography

CACM (1999) 'Internet Privacy: The Quest for Anonymity' Special Section of Commun. ACM 42, 2 (February 1999), at http://www.research.att.com/~lorrie/pubs/cacm-privacy.html

Clarke R. (1994a) 'The Digital Persona and its Application to Data Surveillance', The Information Society 10, 2 (June 1994)', at http://www.rogerclarke.com/DV/DigPersona.html

Clarke R. (1994b) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues', Information Technology & People 7,4 (December 1994) 6-37, at http://www.rogerclarke.com/DV/HumanID.html

Clarke R. (1995) 'When Do They Need to Know 'Whodunnit?' The Justification for Transaction Identification: The Scope for Transaction Anonymity and Pseudonymity' Proc. Conf. Computers, Freedom & Privacy, San Francisco, 31 March 1995, at http://www.rogerclarke.com/DV/PaperCFP95.html

Clarke R. (1996) 'Identification, Anonymity and Pseudonymity in Consumer Transactions: A Vital Systems Design and Public Policy Issue' Proc. Conf. 'Smart Cards: The Issues', Sydney, 18 October 1996, at http://www.rogerclarke.com/DV/AnonPsPol.html

Clarke R. (1998) 'Smart Cards in Identification and Authentication' Chapter 7 of Smart Card Technical Issues Starter Kit, Centrelink, August 1998, at http://www.rogerclarke.com/DV/SCTISK7.html

Clarke R. (1999) 'Identified, Anonymous and Pseudonymous Transactions: The Spectrum of Choice' Proc. User Identification & Privacy Protection Conf., Stockholm, 14-15 June 1999, at http://www.rogerclarke.com/DV/UIPP99.html

Clarke R. (2001a) 'Biometrics and Privacy' April 2001, at http://www.rogerclarke.com/DV/Biometrics.html

Clarke R. (2001b) 'Person-Location and Person-Tracking: Technologies, Risks and Policy Implications' Information Technology & People 14, 2 (Summer 2001) 206-231. Original version in Proc. 21st International Conference on Privacy and Personal Data Protection, pp.131-150, Hong Kong, 13-15 September 1999, at http://www.rogerclarke.com/DV/PLT.html

Clarke R. (2001c) 'Trust in the Context of e-Business' 1 October 2001, at http://www.rogerclarke.com/EC/Trust.html

Clarke R. (2001d) 'The Re-Invention of Public Key Infrastructure', December 2001, at http://www.rogerclarke.com/EC/PKIReinv.html

Clarke R., Dempsey G., Ooi C.N. & O'Connor R.F. (1998a) `Technological Aspects of Internet Crime Prevention', Proc. Conf. 'Internet Crime', Australian Institute for Criminology, Melbourne University, 16-17 February 1998, at http://www.rogerclarke.com/II/ICrimPrev.html

Clarke R., Dempsey G., Ooi C.N. & O'Connor R.F. (1998b) `The Technical Feasibility of Regulating Gambling on the Internet', Proc. Conf. 'Gambling, Technology & Society: Regulatory Challenges for the 21st Century', Rex Hotel Sydney, Potts Point, 7 - 8 May 1998, Australian Institute for Criminology, Melbourne University, at http://www.rogerclarke.com/II/ICrimPrev.html

Clarke R., Dempsey G., Ooi C.N. & O'Connor R.F. (1998c) 'A Primer on Internet Technology', at http://www.rogerclarke.com/II/IPrimer.html

Davis A. (1997) 'The Body as Password' Wired 5.07 (July 1997), at http://www.wired.com/wired/archive/5.07/biometrics_pr.html

Denning D.E. & MacDoran P.F. (1996) 'Location-Based Authentication: Grounding Cyberspace for Better Security' Computer Fraud & Security, February 1996, at http://www.cs.georgetown.edu/~denning/infosec/Grounding.txt

Economist (2000) 'The measure of man' The Economist, 9 September 2000, at http://www.economist.com/PrinterFriendly.cfm?Story_ID=360238&CFID=361701&CFTOKEN=64612627

Ehrlich T. (1966) 'Passports' 19 Stanford L. Rev. 129-149 (1966-67)

EPIC (1997-) 'EPIC Online Guide to Practical Privacy Tools', at http://www.epic.org/privacy/tools.html

FACFI (1976) 'The Criminal Use of False Identification: the Report of the Federal Advisory Committee on False Identification', U.S. Dept of Justice, 1976

Fox-Davies A.C. & Carlyon-Britton P.W.P. (1906) 'A Treatise on the Law Concerning Names and Changes of Name' Elliot Stock, London, 1906

Froomkin A.M. (1995) 'Anonymity and Its Enmities' 1995 J. Online L., at http://www.law.cornell.edu/jol/froomkin.htm

Greenleaf G.W. & Clarke R. (1997) 'Privacy Implications of Digital Signatures', Proc. IBC Conference on Digital Signatures, Sydney, March 1997, at http://www.rogerclarke.com/DV/DigSig.html

IPCO (1999b) 'Privacy and Biometrics' Information and Privacy Commissioner, Ontario, September 1999, at http://www.ipc.on.ca/english/pubpres/sum_pap/papers/pri-biom.htm (188K)

IPCO (1999c) 'Consumer Biometric Applications: A Discussion Paper' Information and Privacy Commissioner, Ontario, September 1999, at http://www.ipc.on.ca/english/pubpres/sum_pap/papers/cons-bio.htm (376K)

Josling J.F. (1980) 'Change of Name' Oyez Publishing, London, 1st Edition, 1946, 12th Edition, 1980

Lampson B., Abadi M., Burrows M. & Wobber E. (1992) 'Authentication in distributed systems: theory and practice' ACM Transactions on Computer Systems, 10(4):265-310, November 1992, at http://gatekeeper.dec.com/pub/DEC/SRC/research-reports/abstracts/src-rr-083.html

McCullagh D. (1998-) 'Nym Resources', at http://www.well.com/user/declan/nym/

Moenssens A.A. (1969) 'Fingerprints and The Law' Chilton, Philadelphia, 1969

Neumann P.G. (1996) 'Risks of Anonymity' Insider Risks Column, Commun. ACM 39, 12 (December 1996)

Silberman S. (2001) 'The New ID' Wired 9:01, at http://www.wired.com/wired/archive/9.01/ideo_pr.html

Smith A.O. & Clarke R. (1999) 'Identification, Authentication and Anonymity in a Legal Context', Proc. IFIP User Identification & Privacy Protection Conference, Stockholm, June 1999, at http://www.rogerclarke.com/DV/AnonLegal.html (primary author A. Smith). Republished in Computer Law & Security Report 16, 2 (March/April 2000) CLSR 95-101

Sneddon M. (2000) 'Legal Liability and e-Transactions` National Electronic Authentication Council, Canberra, Australia, August 2000, at http://www.noie.gov.au/publications/NOIE/NEAC/publication_utz1508.pdf

Turack D.C. (1972) 'The Passport in International Law' D.C. Heath & Co., Lexington MA, 1972

TIS (1994) Special Issue of Information Technology & People 7, 4 (1994) on 'Identification Technologies'. Preface at http://weber.ucsd.edu/~pagre/identification.html

Warwick K. (2000) 'Cyborg 1.0' Wired 8.02 (February 2000), at http://www.wired.com/wired/archive/8.02/warwick_pr.html

Wilton G.W. (1938) 'Fingerprints: History, Law and Romance' William Hodge & Co., London, 1938

Winn J.K. (1998) 'Open Systems, Free Markets,and Regulation of Internet Commerce' 72 Tulane L. Rev. 1177 (1998), at http://www.smu.edu/~jwinn/esig.html



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 5 October 2001 - Last Amended: 26 December 2001 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/EC/AuthModel.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2013   -    Privacy Policy