Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2017
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Roger Clarke **
Review Draft of 5 May 2008
© Xamax Consultancy Pty Ltd, 2008
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/EC/IdMngtMyths.html
The identity management arena is full of misunderstandings and mythologies. This presentation highlights why most initiatives have fallen far short of their promise, and why they will continue to do so until technology providers change their mind-set, and user-organisations are offered much more appropriate products. The analysis has substantial implications for government agencies concerned with public policy. It also delivers important messages for the strategies of user-organisations in both the public and private sectors. Finally, it offers guidance to those technology vendors that recognise the deficiencies of their current offerings.
Organisations have been assiduously applying information technologies (IT) to the management of people for over half a century now. The original focus was on the capture of data about individuals into machine-processable form. This was followed by increases in the volume of data sought, increases in the number of sources from which it was acquired, and the consolidation of data from a variety of sources into a single record.
All of these activities depend upon means for achieving reliable associations between stored data and the human beings the data is believed to relate to. One of the earliest comprehensive assessments of human identification in information systems was undertaken in Clarke (1994). During the 15 years since that paper was drafted, the governments of several among the world's relatively free nations have pursued campaigns to impose draconian identification schemes on their populations, utilising technologies such as bar-codes, smartcards, RFID tags and biometrics to address the identification aspects, coupled with centralised databases or hub databases to physically or virtually consolidate the vast quantities of personal data involved. These have included the UK Government's National Identity Scheme (IPS 2008), the US Government's REAL ID Act (NCSL 2008), the failed Australian Access Card (APF 2007), and the Malaysian Mykad scheme (JPN 2008).
Meanwhile, corporations and individual government agencies have pursued a parallel path in the virtual world. Successive waves of marketer activity have used such buzz-phrases as 'digital signatures', 'authentication', 'single sign-on' and, currently, 'identity management'. Failure rates have been high, and overall return on investment very low. Unrealistic visions and designs have abounded, particularly in complex multi-organisational settings such as 'Joined Up Government'.
The reasons for the succession of failures in this area are straightforward:
Technology providers have created a great many myths.
User organisations have swallowed them.
The purpose of this paper is to identify the key myths, and explain why they're misleading and harmful. The sequence in which 17 Myths are presented has been devised so as to enable key underlying concepts to be exposed, and models underlying the analysis to be progressively developed. The Myths are the primary focus of this paper, but their implications are also briefly outlined. The definitions used in the paper are drawn from this author's key publications in the area over the last two decades. The definitions are summarised in glossary form in Clarke (2004b) and explained in greater detail in Clarke (2004c).
Before tackling the more complex issues, it's necessary to go back to fundamentals. In terms like 'identity management' and 'identity provisioning', technology providers adopt the pretence that they create and maintain identities, and then grant people the right to use them.
But identities long pre-date the existence of information technology suppliers. An identity exists in the real world. It is most readily conceived as a presentation or role of some underlying entity. Its relationship with that entity (or those entities) is further discussed below.
What organisations have on their disk-drives are collections of data. That data has some degree of correspondence with the attributes of real-world identities, but to refer to the collection of data about an identity as being the identity itself is misleading, and leads to excessive claims as to what record-keepers are capable of doing.
The association between a record and an identity is achieved by means of an identifier. An identifier is one or more data-items that are used to distinguish the identity from other, similar identities. Exhibit 1 shows these relationships in diagrammatic form.
Ideally, the cardinality of the relationship would be 1:n, i.e. each identity may be related to zero, one or more records in databases, but each record relates to precisely one identity. For this to be achieved, however, two conditions would need to be fulfilled. Firstly, the identifier would have to be assigned by the record-keeper in such a manner that ambiguities are avoided. Name, and even name with date of birth, are ambiguous, whereas organisation-assigned codes can be unique. Secondly, the management of the database would have to include highly reliable identity authentication procedures to ensure that new and amending data relate to the appropriate identity. Data relating to multiple identities can find their way into a record because of data-capture error, or authentication inadequacies.
Technology providers like to pretend that each person 'out there' is a singular identity. Their simplistic notion is that 'You are who your birth certificate or your passport says you are'. Many go further, and accuse people who have more than one identity of being cheats and criminals. They are upset about this partly on moral grounds, but also because their products are presaged on simple models in which there is a reliable one-to-one relationship between person and identity. These attitudes are betrayed by the common use among security product vendors and within the national security community of pejorative expressions such as 'false identity', 'assumed identity', 'doppelgänger' and 'evil twin'.
In the real world, however, each of us plays many roles. And each of us is only partially known to each of the people and organisations that we deal with. Each of us may be, and present to particular others, as child, lover, spouse, parent, employee, licensee, bank-account holder, taxpayer, benefit-recipient, and many other things besides. At an artistic level, the much-repeated quotation from comic film producer Mel Brooks is "Every human being has hundreds of separate people living under his skin".
Each of those 'partials' (as some sci-fi writers like to call them) have records in databases. In many cases, organisations do not link the records they hold that reflect different relationships with the same underlying entity. For example, many people buy from, pay tax to, receive benefits from, or are licensed by, the same organisation with which they are employed, or for which they perform contract work. In few such cases is their employee-identifier the same as the identifier under which their other records are filed. As far as the organisation is concerned, they are distinct identities, even though they are the same person.
A further consideration is that none of the databases held by organisations is in any sense complete. And there are considerable inconsistencies among the data the databases contain, because the data was collected for different reasons, using different questions, in different contexts, and at different times.
Looking at the relationship from the other direction, many identities are used by more than one person. Every job-description and community role is filled by different people at different times, and in some cases by different people at the same time. Examples include parent, club treasurer, shift-supervisor in a 24-hour business process, and enquiries@<anycompany>.com. Furthermore, masquerade and identity fraud expressly involve one person appropriating an identity that is normally used by another person. So a naïve model that assumes a one-to-one relationship between identity and person is incapable of dealing with miscreants.
Exhibit 2 shows how records and identities link to the underlying entities (in this case, people - although the diagram can serve equally well for PCs, mobile-phones, and even inactive objects like pallets and packages). The m:n (many-to-many) relationship underlines the real-world complexities that many so-called 'identity management' products fail to reflect.
A biometric is not associated with an identity, but directly with an entity. No commonly-used term exists to describe data that distinguishes between similar entities; so since 2001, I've used the usefully descriptive term 'entifier' for the purpose (Clarke 2001f). Searches on Google and Google Scholar suggest that it may be gradually becoming adopted. Exhibit 3 shows the relationships between entities and entifier-based records in databases.
In principle, the cardinality is 1:n, i.e. an entity may have multiple biometrics, but each biometric corresponds to one specific entity. In practice, the relationship is highly problematical, because biometric measurement is challenging and the results are error-prone and variable. The matching processes between each newly-captured entifier and the previously-captured and stored entifier are necessarily fuzzy. As a result, associations are probabilistic, with an appreciable error-rate. Moreover, each biometric technology has difficulties with some individuals, who are incapable of yielding up a measure. For that 1-5% of the population, some more or less arbitrary alternative has to be adopted, resulting in further errors.
Technology providers whose products do not reflect this model have seriously negative impacts on important human values, because products based on inadequately rich models undermine the separation of partial identities that has long been the single most important form of privacy protection.
The earlier Myths lead naturally to this common misapprehension. It is meaningful to talk of organisations performing 'data management' and 'identifier provisioning' (and, as discussed below, 'authenticator provisioning'). The terms 'identity management' and 'identity provisioning', on the other hand, are misleading, and implicitly claim powers that organisations do not have.
What organisations really do in the area of online access control is modelled in Exhibit 4.
The elements of the access control process are as follows:
These processes are important, valuable, and reasonably well-supported by technology providers. The mythology lies in the way in which suppliers would like their customers to believe that online access control systems do much more than this, in particular that they create and manage identities, when what they actually do is create username/password pairs and manage user accounts.
The discussion to this stage leads to the conclusion that the term 'identity management (IdM)' is seriously misleading. An alternative that would invite less confusion is 'identity information management (IdIM)'.
The ground has now been laid, and the mythology inherent in the current round of product offerings can be explained. This section commences by providing an overview of the phases of the 'identity management' movement, in order to be able to demonstrate where the myths begin. The analysis presented in this and the following section draw heavily on Clarke (2004a). A related analysis is in Jøsang & Pope (2005).
User access originally (roughly, from the 1960s onwards) involved software, referred to above as performing an 'Access Control' function, being placed in front of an application, to protect it and the data it managed from unauthorised users. Exhibit 5A depicts in diagrammatic form the contemporary pattern of use over the open, public Internet.
From as early as the 1970s onwards, organisations were running many applications, and each had its own Access Control sub-system. It's desirable that each person be able to access all appropriate applications by means of a single username and a 'single sign-on'. Exhibit 5B depicts this phase.
Remarkably few organisations have fully solved the challenges of single-signon even for their staff, let alone for people outside the organisation such as customers and suppliers. Reasons for this include the 'legacy system' problem (there are always old applications that interface poorly with current technologies), continual change in philosophies and technologies, and competition for the scarce resources needed to integrate all applications with one unified access control system. Those challenges are compounded by the serious inadequacies in vendors' offerings arising from the Mythologies discussed in this paper.
Since the widespread availability of the Internet from the mid-1990s, service-providers have offered generalised Access Control systems as Internet Services. These can be configured to enable access to the applications run by or for many organisations. Exhibit 5C depicts the arrangement. (For the reader's convenience, the mainstream term 'Identity Management Service' is used, even though the term is criticised in this paper as being materially misleading). Microsoft's Passport service was an endeavour to create value for that company through a service of this kind that enabled Microsoft-related hotmail accounts to be interoperable with many web-sites within and beyond the company.
A competitive market exists for such Internet Services. Initially competitive products were entirely segregated. So, in order to access an application run by a particular organisation, a person had to login to whichever service that organisation was connected to. Progressively, inter-operability arrangements emerged, and in principle at least, a person should be able to login to any third-party Access Control (or 'Identity Management' Service), and reach any application in any organisation. Exhibit 5D depicts the 'federated identity management' arrangement. This is what suppliers of 'identity management' products and services portray as the current state of play; but it is more realistically regarded as aspirational, or at best emergent.
The term 'identity management' was criticised earlier in this paper as being seriously misleading. The term 'federated identity management' compounds the felony. The adjective 'federated' may be interpreted as applying to either noun (i.e. 'management of federated identity' or 'federated management of identity'). In order to overcome both the issues discussed earlier and here, a more descriptive expression would be 'federated management of identity information'.
Federated identity management has been the subject of considerable investment in recent years, particularly since the formation of an industry association in late 2001 under the brand 'Liberty Alliance' (Liberty 2008a). This arose as a defensive measure against the threat of Microsoft's Passport Identity Management Service. The considerable set of protocols that has progressively emerged enables interoperability among many identity management services.
The claim is made that "from inception, the Liberty Alliance has put heavy emphasis on privacy" (Liberty 2008b). The result is anything but privacy-protective, however. The architecture features powerful central authorities that log all interactions, and correlate all identifiers used with all applications. The central authorities can themselves effect service denial, or even outright identity denial, and can facilitate other organisations' measures to lock individuals out of their accounts. These weaknesses were drawn to attention at a very early stage in the life of the federated identity movement (Kaye 2002).
The 'federated identity management' schemes described in the previous section are deficient, because they model only the supply-side, and are locked in to what might be regarded as the 'corporate supremacist' perspective, whereby organisations design and deliver, and people consume.
Toffler coined the word 'prosumer' in 1970. The open public Internet gave rise to the culture of appropriation of digital content, and enabled the 'proactive producer-consumer' to finally emerge during the second half of the 1990s. One aspect of prosumerism is active participation in 'identity management'. People actively project identity rather than passively accepting what organisations impose on them. There are several ways to do this. The term used in Clarke(2004a) to distinguish these alternative approaches is 'demand-side identity management'. The term 'user-centric identity management' has gained currency since 2004, but is used in a wide variety of senses. The sense used in Jøsang & Pope (2005) corresponds with 'demand-side' as described here.
Exhibit 5E draws to attention the existence of software on individuals' own devices that presents data to the Access Control software depended on by organisations, and that does so in the interests of the user not the organisation.
Such software may work autonomously, as an agent for the user. It may submit randomised or nonsense data rather than accurate data (e.g. by registering for the New York Times web-site as a male, U.S., high-income, Accountant/Auditor, in Accounting, in a small company - in each case the first option in the drop-down lists that the site provides). Importantly, it may also conduct successive transactions with the same organisation using different identities (e.g. in order to avoid the accumulation of a consumer profile). This may be onerous for an individual, but it is easy for software.
Exhibit 5F represents a further level of end-user sophistication, whereby a user installs their own proxy-server to manage flows between the many devices that they use and the organisations that they deal with. This may manage one or more consolidated identities (e.g. for the organisations that they trust), or many different single-use or occasional-use identities (e.g. for organisations that they don't know, or know and don't trust).
Similar kinds of proxy-service can be offered by Internet Service Providers that work as agents for the individual rather than for the organisations at the other end of the network. These intermediaries can offer all of the demand-driven services mentioned in the last couple of paragraphs, but can also merge the identities of many users, in order to present a composite identity to organisations. This arrangement is depicted in Exhibit G.
The effectiveness of organisations' strategies in relation to the authentication of the identities that they deal with need to take account of the existence of these intermediary agents and services. Yet most organisations accept the blandishments of vendors of 'identity management' software and service and assume that they are actually provisioning and managing identities, and are doing so in a manner that assures accuracy, reliability and security to the user-organisation. Suppliers represent the architecture as being 'federated identity management' as depicted in Exhibit 5D above, whereas Exhibit 5H below depicts the messier reality, which might be called a 'multi-mediated super-architecture'.
The real challenge of course is to structure an environment in which the interests of all parties are satisfactorily reflected, with anonymity, pseudonymity and data protections as well as trustworthiness of data provided by individuals to organisations. Some years ago, an architecture was proposed that avoids a powerful hub that logs all interactions and correlates all identifiers (Brands 2000). Technology was subsequently delivered that features 'minimal disclosure tokens', which enable attribute authentication without the exposure of any data other than that functionally necessary, and in many cases without even exposing the party's identifier (Brands 2007. See also Gelfand 2008) .
Because so much stress is placed on 'identity management', it comes as a surprise to organisations when they examine their business processes and establish what a small proportion of the complete set of transactions they engage in actually require an authenticated identity in order to manage risk. Enquiries, hypotheticals, payments, and many kinds of trading events can be performed safely without any great confidence in who the other party is.
The fundamental misrepresentation that technology providers have made is that 'authentication' means 'identity authentication'. Authentication is a process whereby confidence is established in an assertion. It is performed by cross-checking the assertion against one or more items of evidence. But the assertion may have little or nothing to do with identity.
Authentication is costly and time-consuming for all parties, and may be unduly onerous and intrusive for the humans who are conducting transactions with an organisation. It is therefore important to consider what the assertion is that actually matters. The assertion whose truth needs to be established may be one of fact, or that value has been or is being transferred, or that the other party is in a particular location, or that a particular document was actually issued by some authority. A common need is to check an attribute of the other party to a transaction (e.g. is the person over 18, over 65, a Veteran, a plumber who gets a trade discount, a subscriber who gets a member's discount?). In a great many circumstances, the party's identity is unimportant and even irrelevant (Clarke 2003b).
Reflecting these realities, the Australian Government Authentication Framework (AGAF) stipulates firstly the conduct of an analysis of what statements are relevant to each particular transaction, and secondly the performance of risk assessment in order to establish both what assertion needs to be authenticated, and what level or strength of authentication is justified (AGIMO 2005). Brandsian 'minimal disclosure tokens', discussed in the previous section, enable strong authentication of attributes without identity.
Since the mid-1990s, it has been technically feasible to use digital signatures to perform some kind of authentication of the parties participating in Internet transactions. The means to do this is provided by the Secure Sockets Layer protocol, later standardised as Transport Layer Security (SSL/TLS, more familiar to most users as the https protocol used by their web-browser).
In principle, SSL/TLS could be applied in order to authenticate users, but in practice hardly any normal user has a digital signature key. Its primary authentication use is to perform some form of check of the provenance of the web-sites that people visit.
Unfortunately, this aspect of SSL/TLS is almost entirely valueless. What are usually referred to as 'Verisign certificates' come with virtually no warranties. This is not surprising, because pre-authentication processes are expensive, and no-one wants to pay the money to conduct them. So no-one takes much notice of them, and most people ignore the warnings that appear when unknown or outdated certificates are detected. The abject failure of the PKI movement of the late 1990s is documented in Clarke (2001e) and Winn (2001).
There is a further difficulty, which is that organisations have no physical existence, and hence cannot themselves perform any act that would enable Verisign or anyone else to pre-authenticate them. People perform those acts on behalf of organisations. Yet, to date, there are virtually no mechanisms available whereby an assertion can be authenticated that a particular user has authority to perform a particular act on behalf of a particular organisation. Moreover, the laws of many countries are highly unclear in relation to principal-agent relationships. In short, consumers and citizens conduct eCommerce and eGovernment with organisations in the blind faith that they're dealing with the organisation that we think we are.
In order to address some further myths that undermine eCommerce and eGovernment, it's necessary to venture into the privacy arena. The first step is to acknowledge the truth of a rallying call used by anti-privacy security specialists and businesspeople. It's quite true that privacy is for people with something to hide.
But the sub-text underlying Not-A-Myth 9 is quite false. The people who use the phrase mean it to imply that honest people have nothing to hide (and therefore shouldn't be concerned about privacy).
There are many data-items and tokens that each of us is obligated to hide, under contractual or other legal provisions. Important among them are the obvious authenticators such as our passwords and PINs, and our passport and driver's licence, and our digital signature keys, but they may also include a lot of relatively public data, such as our date of birth, and our mother's maiden name. Anyone who has a home, a passport or a user-account, or conducts bank transactions electronically, and attacks people for having something to hide, commits hypocrisy.
Suppression of some other items of information plays and important role in the safety of individuals and the things that they own. Examples of such data include the hiding-places of the spare sets of house keys and car keys, the code for the home security system, one's regular movements and habits, preferred drinks, and the locations of valuable assets such as artworks, and the security measures protecting them.
Risks to person and property fall unevenly on different kinds of people. The following is a general guide to categories of 'persons at risk', who have very good reasons to hide a wide range of personal data from public view:
The intensity of the risks has been sharpened in recent years, as technologies have emerged that enable the location, retrospective tracking and even real-time tracking of identified individuals (Clarke 1999b).
In addition, it's a rare person that has no attributes at all that are, or may become, a basis for bias and bigotry. There is a vast variety of possibilities in such areas as health, ethnicity, beliefs, convictions, family arrangements, gender preferences and sexual peccadillos. Wealth is another factor, causing some people to prefer their and their families' financial details to be suppressed, including taxation and donation data. Merely being known to have had an education recently cost a significant proportion of about 2 million people their lives (Kampuchea, late 1970s).
Again, the statement is true, but the sub-text is a refined lie.
The position adopted by anti-privacy security specialists and businesspeople is that anyone who is in favour of something that protects bad people is themselves a bad person (which is a variant of the jingoistic 'the friend of my enemy is my enemy') .
Bad people use money, trains and roads, and they eat food. Bad people also take advantage of the privacy protections that good people rely upon as part of the cluster of freedoms that make life worth living. The bad people can't be denied the ability to abuse those freedoms without also denying the good people the ability to use them.
A 'nym' is a particular form of identifier. Like other identifiers, it comprises one or more attributes of an identity (represented in transactions and records as one or more data-items) that are sufficient to distinguish that identity from other instances of its class, but with the additional characteristic that the available data is not sufficient to enable association with the underlying entity (Clarke 1999a, Samuels & Hawco 2000).
An anonym is a nym for which it is not possible to establish an association between the identity and the underlying entity; whereas a pseudonym is a nym for which that association is feasible, but has not been made.
It is a common misconception that anonymity and pseudonymity are in themselves bad, and that they need to be denied and defeated. In fact, nymity is normal. For a simple demonstration of how mainstream the idea is, consider the number of synonyms that exist (in alphabetical order):
aka ('also-known-as'), alias, avatar, character, nickname, nom de guerre, nom de plume, manifestation, moniker, personality, profile, pseudonym, pseudo-identifier, sobriquet, and stage-name
Cyberspace has spawned many more, including:
account, avatar, handle, nick and persona
Nymity is much-used in transactions, such as:
Exhibit 6 completes the series begun with Exhibits 1 to 3, by depicting the broken link between the Identity and underlying Entity. It also shows the characteristic, inherited from identifiers generally, whereby an entity may use more than one nym, and a nym may be used by one or more entities.
The term 'data silo' refers to collections of data that are segregated from one another. The term is common in the IT industry, but has attracted little attention in the formal literature. It is mostly used where the speaker is urging the breakdown of the silos, in order to extract more value from the inter-related or consolidated collection. Clearly, there are many circumstances in which the benefits of breaking down barriers and inconsistencies and achieving inter-operability exceed the costs and dis-benefits.
Where the data silos contain personal data, however, far greater care is needed. There are contexts in which people actively want separate data collections to be inter-related. But there are many more contexts in which they don't, and in which considerable harm can arise if the segregation between 'partials' is broken down.
Data from multiple sources is inevitably inconsistent in meaning and quality, the inconsistencies give rise to inferences that are often negative, and the inconsistencies and suspicions seldom work to the advantage of the people to whom the data relates. The combination of data from multiple sources also provides the organisation or organisations with substantial data-based power over the individual (Clarke 1988).
Data silos are one of the most fundamental and most effective forms of privacy protection. The negative privacy impact of breaking down data silos makes it imperative that proposals be considered carefully, and that costs, benefits and dis-benefits be evaluated rather than assumed. Proposals to join up complex systems require particularly convincing justification, because such projects result in even more complexity, and hence in diseconomies of scale and scope that are likely to render the apparent benefits illusory.
The term 'identity silos' is very little used, but quite crucial to a proper understanding of identity matters. The term refers to the segregation of a person's many 'partial identities' each of which is known to particular individuals or organisations. Identity silos are one of the most fundamental and most effective forms of privacy protection, and breaking down those barriers represents a very substantial threat to privacy.
There are two broad ways in which identity silos can be destroyed. One is through the use of one identifier for multiple purposes, rather than separate identifiers for each purpose. A common motivation for doing this is to share across multiple systems the costs of issuing and managing identifiers. The second way in which identity silos are broken down is by having multiple separate identifiers, but setting up a scheme whereby they can be correlated.
A corporation breaks down identity silos when, in addition to collecting basic identifiers such as name and data of birth, and assigning its own code to its customers and employees, it also gathers identifiers associated with other systems, such as drivers' licence numbers, passport numbers, and registration numbers with taxation and benefits agencies.
The public sector destroys identity silos when it uses a common number for multiple programs, or in multiple agencies, but also when a database carries identifiers for multiple schemes in one place. The Centrelink agency in Australia, the delivery mechanism for all c. 100 benefits programs managed by c. 20 agencies, includes a hub database that stores everything needed to correlate the many partial identities each recipient of benefits has with each of the agencies that they deal with or have dealt with. Hub schemes like Centrelink's go well beyond the 'inhabitant registration schemes' that are common in European countries. These are mostly restricted to specific clusters of programs - typically taxation and health insurance - and little-used outside those designated contexts.
Having multiple identifiers is important for reasons beyond privacy protection. Identity fraud and identity theft are attractive to criminals because so much value can be extracted by gaining control of the identity. The more identifiers that a person has, the less that is directly linked to and dependent upon each identifier, and hence the lower the incentive to criminals to abuse them.
The extreme case of identity silo destruction is a national identification scheme, of the kind dreamt of in the U.S.A. (under the catchphrase REAL ID), proposed in the U.K. (as the National Identity Register - NIR), and attempted several times in Australia (in 1985-87 as the defeated Australia Card - Clarke 1987, in 2005-06 as the withdrawn 'national identity system' - APF 2006a, and in 2006-07 as the collapsed Access Card - APF 2007). Analyses of the elements of national identification schemes are in Clarke (2006a) and No2ID (2008).
The claim that a national identification scheme would be cheaper than operating multiple schemes is illusory, because diseconomies of scale and scope grow very quickly, and overwhelm the economies that can be achieved through cost-sharing across two or three closely-related business functions. Proposals have long existed to use smartcard technology to provide securem independent management of the multiple identifiers used in dealings with multiple organisations (Clarke 1997, Wilson 2006, APF 2006b).
Many information technologies are neutral with respect to privacy. Some are actively Privacy-Invasive Technologies ('the PITs'). The term Privacy-Enhancing Technologies (PETs) refers to applications of technology that actively assist in the protection of privacy. The term was coined in 1995, although key examples pre-date its coinage by at least 15 years (Clarke 2001a).
The PETs scene has been confused during the last decade because of a number of Pseudo-PETs that have been put forward by technology providers. These include 'meta-brands' that purport to provide 'good housekeeping' 'seals of approval', but which provide no tangible privacy benefits (Clarke 2001d), and ineffectual protocols such as Platform for Privacy Preferences (P3P) (Clarke 1998b, 1998c, 2001c).
Real PETs can be usefully divided into three categories:
Distrust is a major impediment to all forms of eCommerce and eGovernment, and privacy is a crucial element of distrust. PETs represent opportunities to signal privacy-sensitivity, and to earn trust. Some specific ways in which organisations can seek payback from PETs include (Clarke 2008):
Concrete outcomes that can be sought by implementing PETs include:
This paper draws attention to many weaknesses in existing technologies and systems that are, variously through ignorance and intent, commonly overlooked. The stream of mythology that has flowed most strongly since September 2001 is that relating to biometrics. This section has to be brief and therefore superficial, but it is essential that the multiple frauds perpetrated in this area be exposed. Far too few publications are available that adopt a sceptical approach to the claims of biometrics technologists and marketers, but see Schneier (1999), Economist (2001), DBR (2002) and EPIC (2007, 2008).
Biometrics lobbyists have been working for many years to try to get their schemes accepted. Most biometric technologies have failed. Many biometrics companies have failed, and most extant biometrics operations are supported by cross-subsidy from more successful divisions within the same company.
Biometrics tackles a very difficult challenge, and a host of factors have to be confronted that undermine quality. The scope for error is vast, the prevention of masquerade is very difficult and very expensive, and the cost of false-positives is often prohibitive. Only a small number of technologies are tenable, and all of those can be applied effectively only in very specific contexts. Meanwhile, from the viewpoint of the people subjected to them, biometrics procedures are demeaning, intrusive and onerous (Clarke 2001b, 2002).
The biometrics lobbyists received a massive boost from the 12 September 2001 phenomenon. Whereas 11 September 2001 was a genuine public safety issue that needed to be addressed, the 'national security' agencies harnessed counter-terrorist hysteria to achieve massive and completely unjustified inroads into civil freedoms. These included mindless attempts to impose biometrics.
Linked with this movement have been unholy alliances between technology providers and user organisations. The Biometrics Consortium, the International Biometrics Industry Association (IBIA), and the 'Biometrics Institute' are all alliances of this nature, fraudulently declaring themselves to be sources of "unbiased information" about biometrics. Government agencies in the USA and in Australia have prostituted themselves by contriving testing regimes and reports that give biometric technologies an appearance of adequacy - extraordinarily so in the case of the NIST program to legitimate the pseudo-biometric usually mis-described as 'facial recognition' (FRVT, conducted in 2000, 2002 and 2006).
One of the 'national security extremist' positions that has been adopted by such organisations is that the introduction of biometric schemes is necessary to combat terrorism. This is readily shown to be false (e.g. Schneier 2001, Ackerman 2003, Clarke 2003a, Jonas 2004). Terrorists are defined by the acts that they perform, not by their entifier. But the myth continues to be sustained by the misleading statements made by these organisations, and the lack of scepticism shown by media outlets.
Organisations naturally seek to manage identification and identity authentication arrangements in such a way that they address risks, and cost the organisation as little as practicable (e.g. by transferring costs to others, particularly the individuals whose identity is being managed). It is therefore tempting for organisations' CIOs to perceive 'identity management' as just another part of their application portfolio.
It is highly advisable to instead recognise that 'identity management' is infrastructure that underpins other applications, and to appreciate the highly charged atmosphere that surrounds it. Identity schemes invite massively negative reactions by the public, and offer the media enormous scope for stories that depict the organisation as the villain, imposing on the freedoms of individual customers, citizens, employees, patients, students, etc. The risks spiral as the identity scheme moves up the scale from single-purpose to multi-purpose, and as single-purpose identifiers are subsumed by or correlated into a national identity scheme.
The primary purpose of this paper has been to show that a set of conventional views relevant to identity management are Myths. This has consumed almost all of the space available in a paper of conventional length. The following brief, positive comments can be inferred from the largely negative exposition above.
Identity management schemes need to pass a test of acceptability by the public generally, and by the individuals they are imposed upon. A failure in that test represents an impediment to adoption, and translates into slow and low adoption rates. Beyond that lie the risks of negative media exposure, and public backlash, opposition, rejection, and even eActivism. The natural outcomes are project failure, and not merely a failure to achieve Return on Investment, but outright waste of the funds of shareholders and/or taxpayers, and harm to the careers of those left in charge of the system when its disbenefits become all-too-apparent.
Identity management schemes therefore demand a strategic approach. They are best developed within the context of a privacy strategy (Clarke 1996, 2006b). They need to be risk-managed, with public consultation, open information and the exercise of great scepticism about the many Myths outlined in this paper.
More specifically, the following guidance is offered:
The identity management movement, and its predecessor digital signature and authentication initiatives, have appeared to consumers and citizens to be aggressive and authoritarian, and designed by big organisations for big organisations, with little attention paid to the interests of the people who are expected to submit to the dictates of the scheme.
The collection of any form of identification needs to be justified. And frequently the assertions that need to be authenticated don't relate to identity. The kinds of things the organisation needs to be confident about are assertions of fact (or the accuracy of data), assertions of value ('Here's the money. Check it now'), and attribute assertions ('I am over 18'; or 'I'm a plumber and I get the trade discount'). Much greater understanding of human entity and identity is needed, and much more balance between organisational desires and human needs.
Ackerman L. (2003) 'Biometrics And Airport Security' Privacy Activism, 17 February 2003, at http://www.privacyactivism.org/Item/64
AGIMO (2005) 'The Australian Government e-Authentication Framework (AGAF)' Australian Government Information Management Office, March 2005, at http://www.agimo.gov.au/infrastructure/authentication/agaf_b
APF (2006a) 'Australia Card Mark II' Australian Privacy Foundation, May 2006, at http://www.privacy.org.au/Campaigns/ID_cards/NatIDScheme.html
APF (2006b) 'The National Identification Scheme: What does the APF say should be done instead?' FAQ 11, Australian Privacy Foundation, December 2006, at http://www.privacy.org.au/Campaigns/ID_cards/HSAC-FAQ11.html
APF (2007) 'The National Identification Scheme' Australian Privacy Foundation, 2007, at http://www.privacy.org.au/Campaigns/ID_cards/HSAC.html
Brands S. (2000) 'Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy' MIT Press, 2000
Brands S. (2007) 'U-Prove SDK Overview' White Paper, Credentica, Montreal, April 2007, at http://www.credentica.com/files/U-ProveSDKWhitepaper.pdf
Clarke R. (1987) 'Just Another Piece of Plastic for your Wallet: The 'Australia Card' Scheme' Prometheus 5,1 (June 1987). Republished in Computers & Society 18,1 (January 1988), together with an important Addendum, published in Computers & Society 18,3 (July 1988), at http://www.rogerclarke.com/DV/OzCard.html
Clarke R. (1988) 'Information Technology and Dataveillance' Commun. ACM 31,5 (May 1988) 498-512, at http://www.rogerclarke.com/DV/CACM88.html
Clarke R. (1994) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Info. Technology & People 7,4 (December 1994), at http://www.rogerclarke.com/DV/HumanID.html
Clarke R. (1996) 'Privacy, Dataveillance, Organisational Strategy' Keynote Address for the I.S. Audit & Control Association Conf. (EDPAC'96), Perth, 28 May 1996, at http://www.rogerclarke.com/DV/PStrat.html
Clarke R. (1997) 'Chip-Based ID: Promise and Peril', for the International Conference on Privacy, Montreal (September 1997), at http://www.rogerclarke.com/DV/IDCards97.htmlClarke R. (1998a) 'Privacy Impact Assessment Guidelines' Xamax Consultancy Pty Ltd, February 1998, at http://www.xamax.com.au/DV/PIA.html
Clarke R. (1998b) 'Platform for Privacy Preferences: An Overview' (April 1998), Privacy Law & Policy Reporter 5, 2 (July 1998) 35-39, at http://www.rogerclarke.com/DV/P3POview.html
Clarke R. (1998c) 'Platform for Privacy Preferences: A Critique' (April 1998), Privacy Law & Policy Reporter 5, 3 (August 1998) 46-48, at http://www.rogerclarke.com/DV/P3PCrit.htmlClarke R. (1999a) 'Anonymous, Pseudonymous and Identified Transactions: The Spectrum of Choice ', Proc. IFIP User Identification & Privacy Protection Conference, Stockholm, June 1999, at http://www.rogerclarke.com/DV/UIPP99.html
Clarke R. (1999b) 'Person-Location and Person-Tracking: Technologies, Risks and Policy Implications' Proc. 21st Int'l Conf. on Privacy and Personal Data Protection, pp.131-150, Hong Kong, 13-15 September 1999. Revised version in Information Technology & People 14, 2 (Summer 2001) 206-231, at http://www.rogerclarke.com/DV/PLT.html
Clarke R. (2001a) 'Introducing PITs and PETs: Technologies Affecting Privacy' Privacy Law & Policy Reporter 7, 9 (March 2001), at http://www.rogerclarke.com/DV/PITsPETs.html
Clarke R. (2001b) 'Biometrics and Privacy' Xamax Consultancy Pty Ltd, April 2001, at http://www.rogerclarke.com/DV/Biometrics.html
Clarke R. (2001c) 'P3P Re-visited' Privacy Law & Policy Reporter 7, 10 (April 2001), at http://www.rogerclarke.com/DV/P3PRev.htmlClarke R. (2001d) 'Meta-Brands' Privacy Law & Policy Reporter 7, 11 (May 2001), at http://www.rogerclarke.com/DV/MetaBrands.html
Clarke R. (2001e) 'The Fundamental Inadequacies of Conventional Public Key Infrastructure' Proc. Conf. ECIS'2001, Bled, Slovenia, 27-29 June 2001, at http://www.rogerclarke.com/II/ECIS2001.html
Clarke E. (2001f) 'Authentication: A Sufficiently Rich Model to Enable e-Business' Xamax Consultancy Pty Ltd, October 2001, at http://www.rogerclarke.com/EC/AuthModel011019.html
Clarke R. (2002) 'Biometrics' Inadequacies and Threats, and the Need for Regulation' Xamax Consultancy Pty Ltd, April 2002, at http://www.rogerclarke.com/DV/BiomThreats.html
Clarke R. (2003a) 'Biometrics in Airports How To, and How Not To, Stop Mahommed Atta and Friends' Xamax Consultancy Pty Ltd, February 2003, at http://www.rogerclarke.com/DV/BioAirports.html
Clarke R. (2003b) 'Authentication Re-visited: How Public Key Infrastructure Could Yet Prosper' Proc. 16th Int'l eCommerce Conf., at Bled, Slovenia, 9-11 June 2003, at http://www.rogerclarke.com/EC/Bled03.html
Clarke R. (2004a) 'Identity Management: The Technologies, Their Business Value, Their Problems, and Their Prospects' Xamax Consultancy Pty Ltd, March 2004, from http://www.xamax.com.au/EC/IdMngt.html
Clarke R. (2004b) 'Identification and Authentication Glossary' Xamax Consultancy Pty Ltd, March 2004, extract from Clarke (2004a), at http://www.rogerclarke.com/EC/IdAuthGloss.html
Clarke R. (2004c) 'Identification and Authentication Fundamentals' Xamax Consultancy Pty Ltd, May 2004, at http://www.rogerclarke.com/DV/IdAuthFundas.html
Clarke R. (2006a) 'National Identity Schemes - The Elements' Xamax Consultancy Pty Ltd, February 2006, at http://www.rogerclarke.com/DV/NatIDSchemeElms.html
Clarke R. (2006b) 'Make Privacy a Strategic Factor - The Why and the How' Cutter IT Journal 19, 11 (October 2006), at http://www.rogerclarke.com/DV/APBD-0609.html
Clarke R. (2008) 'Business Cases for Privacy-Enhancing Technologies' in Subramanian R. (Ed.) 'Computer Security, Privacy and Politics: Current Issues, Challenges and Solutions' IDEA Group, 2008, at http://www.rogerclarke.com/EC/PETsBusCase.html
DBR (2002) 'Biometrics - Hype and Reality' Deutsche Bank Research, Frankfurt, May 2002, at http://www.dbresearch.com/PROD/DBR_INTERNET_EN-PROD/PROD0000000000043270.pdf
Economist (2001) 'Watching you: What security technology can - and cannot - do about terrorism' The Economist 360, 8240 (22 September 2001)
EPIC (2007) 'Face Recognition' Electronic Privacy Information Center, http://epic.org/privacy/facerecognition/
EPIC (2008) 'Biometric Identifiers' Electronic Privacy Information Center, Washington DC, April 2008, at http://epic.org/privacy/biometrics/
Gelfand A. (2008) 'Startup Plans to Solve Online Identity Theft, But Does Anyone Care?' Wired News, 8 February 2008, at http://www.wired.com/print/politics/security/news/2008/02/credentica
ICO (2007) 'Privacy Impact Assessment Handbook' Information Commissioner's Office, Wilmslow, I.K., December 2007, at http://www.ico.gov.uk/upload/documents/pia_handbook_html/html/1-intro.html
IPS (2008) 'About ID cards and the National Identity Scheme' Identity and Passports Office, London UK, 2008, at http://www.ips.gov.uk/identity/scheme-what.asp
Jonas G. (2004) 'Biometrics Won't Catch Disposable Terrorists' National Post, 19 January 2004, at http://www.benadoraassociates.com/pf.php?id=1336
Jøsang A. & Pope S. (2005) 'User Centric Identity Management' Proc. AusCERT Conference 2005, at http://sky.fit.qut.edu.au/~josang/papers/JP2005-AusCERT.pdf
JPN (2008) 'MyKad: The Government Multipurpose Card', Jabatan Pendaftaran Negara, Malaysia, 2008, at http://www.jpn.gov.my/kppk1/Index2.htm
Kaye D. (2002) 'On Liberty and the Case for Anonymous Federation of Identity' RDS Strategies, September 2002, at http://www.rds.com/essays/20020904-liberty.html
Liberty (2008a) 'History of the Liberty Alliance' Liberty Alliance, 2008, at http://www.projectliberty.org/liberty/about/history
Liberty (2008b) 'Privacy, Trust and Security' Liberty Alliance, 2008, at http://www.projectliberty.org/liberty/strategic_initiatives/privacy_trust_security
NCSL (2008) 'Real Id Act Of 2005 - Driver's License - Title Summary' National Conference of State Legislatures, 2008, at http://www.ncsl.org/standcomm/sctran/realidsummary05.htm
No2ID (2008) 'The problems with "ID Cards"' No2ID Campaign Inc., London, 2008, at http://www.no2id.net/IDSchemes/whyNot.php
OFPC (2006) 'Privacy Impact Assessment Guide' Office of the Federal Privacy Commissioner, August 2006, at http://www.privacy.gov.au/publications/PIA06.pdf
Samuels R. & Hawco E. (2000) 'Untraceable Nym Creation on the Freedom 2.0 Network' Zero-Knowledge Systems Inc., November, 2000 , at http://www.homeport.org/~adam/zeroknowledgewhitepapers/Freedom-NymCreation.pdf
Schneier B. (1999) 'Biometrics: Uses and Abuses' Inside Risks 110, Communications of the ACM 42, 8 (Aug 1999), at http://www.schneier.com/essay-019.html
Schneier B. (2001) 'the September 11 terrorist attacks and their aftermath' Crypto-Gram Newsletter Special issue of 30 September 2001, at http://www.schneier.com/crypto-gram-0109a.html
Stewart B. (1996) 'Privacy impact assessments' Privacy Law & Policy Reporter 3, 4 (July 1996) 61-64, at http://www.austlii.edu.au/cgi-bin/disp.pl/au/journals/PLPR/1996/39.html
Wilson S. (2006) 'A new manifesto for smartcards as national information infrastructure' Proc. Fifth Homeland Security Summit, Canberra, 2006, at http://www.lockstep.com.au/file?node_id=5889
Winn J.K. (2001) 'The Emperor's New Clothes: The Shocking Truth About Ditial Signatures and Internet Commerce' Idaho Law Review 37 (2001) 353-388
This paper builds on a long series of prior publications and presentations over the last twenty years. In addition to the papers formally referenced above, invited presentations were made in Washington DC in 2001, in Sydney in 2002 aand 2003, in Toronto and Ottawa in 2004, to Australian Computer Society Branches nationwide in 2004, and in Victoria (British Columbia) and Canberra in 2006. An earlier version of this paper was presented as an Invited Keynote at 'Managing Identity in New Zealand', Wellington, 29-30 April 2008, under the title '(Id)Entities (Mis)Management: The Mythologies underlying the Business Failures'. Feedback from reviewers and delegates is acknowledged. The responsibility for the analysis and argument lies of course with the author alone.
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He has conducted many consultancies relating to PKI, authentication and biometrics, and was a member of the team that produced the Australian Government Authentication Framework (AGIMO 2005).
He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., a Visiting Professor in the E-Commerce Programme at the University of Hong Kong, and a Visiting Professor in the Department of Computer Science at the Australian National University.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 27 February 2008 - Last Amended: 5 May 2008 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/EC/IdMngtMyths.html