Roger Clarke’s Identity Home-Page

© Xamax Consultancy Pty Ltd,  1995-2017
Photo of Roger Clarke

This segment of the site provides access to papers that I've published in the broad area of 'Identity'. Included within the scope is the concept of 'Entity'; the processes of Identification (of identities) and Entification (of entities); and both the Identifiers that distinguish each instance of an identity, and the Entifiers that distinguish each instance of an entity. And then there's Nymity and Nyms (and the sub-categories of Pseudonymity and Anonymity). And of course Identity Management, and Authentication, and Authorisation, and a lot of other important concepts. And some other new relatively new ideas, such as the Digital Persona, and Identity Silos.


The resources in this segment of the site can be accessed in the following ways, most useful first:

The Topic-Based Index of my papers on identity themes, up-to-date at 23 November 2015, below

The What's New Page (because the indexes are never fully up-to-date), here

The Chronological Index of my papers on identity themes, here

The Search Facility, in the button at the top-right-hand side of the page


Annotated Bibliography of Identity Papers

1. The Model and Glossary

2. The Nature of Identity

3. Entity and Identity

3.1 Nymity

3.2 Privacy-Enhancing Technologies (PETs)

4. (Id)entity in Information Systems

4.1 The Digital Persona

5. (Id)entifiers and (Id)entification

5.1 Nyms

6. Authentication

6.1 ID Cards

6.2 National Identification Schemes

6.3 Digital Signatures

6.4 Biometrics

6.5 Chip-Based ID

7. Authorisation and Access Control

7.1 Identity Management Schemes

8. Person Location and Tracking

9. Impacts and Implications

10. The Future of Identity

10.1 Cyborgisation


What's Busy? These are the Most Highly Cited and Accessed Papers

See also the following recent and comprehensive papers:


1. The Model and Glossary

The full rendition is in 'A Sufficiently Rich Model of (Id)entity, Authentication and Authorisation' (2010), supported by Application of the Model (2010).

Glossaries of the terms and their definitions are provided here:

A succinct summary of the model is provided in 'Identification and Authentication Fundamentals' (2004).

The mature model built on the the following papers and presentations:

A critique of mainstream theory and practice is in '(Id)Entities (Mis)Management: The Mythologies underlying the Business Failures' (2008).

A further development is in Lessons from a Sufficiently Rich Model of (Id)entity, Authentication and Authorisation (2009).


2. The Nature of Identity

I've published on this only briefly, primarily in the early sections of 'Human Identification in Information Systems' (1994). I really should summarise key references from the humanities and social science literatures some time.


3. Entity and Identity

An Entity is a real-world thing (a pallet, a computer, an animal, a human being). An Identity is also a real-world thing, but is of virtual rather than physical form. Commonly it is a presentation of an entity. Entities may have many identities, reflecting their diverse roles in different contexts.

This sub-topic has been central to my work in the area, because it is foundational, and the conventional blurring of the two concepts has caused enormous problems for eBusiness and eGovernment.

The most accessible of the analyses I've undertaken are in:

3.1 Nymity

Nymity is a characteristic of an Identity, whereby it cannot be associated with any particular Entity.

The foundation analysis is in 'Human Identification in Information Systems' (1994), and was expanded in:

The analysis was consolidated in:

And the analysis is embodied in 'A Sufficiently Rich Model of (Id)entity, Authentication and Authorisation' (2009-10).

3.2 Privacy-Enhancing Technologies (PETs)

The concept of 'PETs' dates to 1995. An explanation is in:

The ideas were developed in a series of papers:


4. (Id)entity in Information Systems

This sub-topic is concerned with records and data-items, and their relationships to (id)entities and their attributes.

The foundation work is the paper on 'Human Identification in Information Systems' (1994)

See also 'A Sufficiently Rich Model of (Id)entity, Authentication and Authorisation' (2009-10)

This sub-topic also encompasses the notion of 'data silos'

4.1 The Digital Persona

I introduced this concept in 'Computer Matching and Digital Identity' (1993)

The key work is 'The Digital Persona and Its Application to Data Surveillance' (1994)

I reviewed progress in 'Promise Unfulfilled: The Digital Persona Concept, Two Decades Later' (2012)

See also 'Human-Artefact Hybridisation and the Digital Persona' (2005)


5. (Id)entifiers and (Id)entification

An (Id)entifier is a data-item or items that enable the (Id)entity to be distinguished from others in the same category.

(Id)entification is the process whereby data is associated with a particular (Id)entity. This is achieved by acquiring an (Id)entifier for it.

This area of my work builds on the fundamental notions of Identity and Entity, and applies the extended model to the ways in which organisations associate data with real-world (Id)entities. It thereby lays the foundation for understanding the serious deficiencies in conventional approaches to 'identity management'.

The foundation work is the paper on 'Human Identification in Information Systems' (1994)

See also 'A Sufficiently Rich Model of (Id)entity, Authentication and Authorisation' (2009-10)

This sub-topic also encompasses the notion of 'identity silos'

5.1 Nyms

A Nym is an Identifier whose association with an underlying Entity is not known.

See the references in 3.1 Nymity, above.

See also 'Famous Nyms' (2000).


6. Authentication

Authentication is the process whereby a level of confidence in an assertion is achieved. One (of many) forms is '(id)entity authentication', which is a process to achieve some level of confidence in an assertion that an (id)entifier is being appropriately used. Conventional approaches to identity management fail to distinguish between the authentication of entity and of identity, resulting in flaws in most schemes that are seriously detrimental and in some cases fatal.

This sub-topic also encompasses the notions of verification, tokens, authenticators, credentials, evidence of identity and proof of identity.

The foundation work is the paper on 'Human Identification in Information Systems' (1994)

A comprehensive analysis is in 'A Sufficiently Rich Model of (Id)entity, Authentication and Authorisation' (2009-10)

Important steps in the development of the ideas are in these papers:

Other relevant publications include:

Additional publications of relevance are listed under the sub-topics below.

6.1 ID Cards

Credit-card-sized plastic is the most common of a number of forms that can be used as tokens (i.e. means of carrying an identifier such as a customer-code in a form that is easily captured) or as credentials (i.e. means of carrying information that assists in authenticating an assertion, most commonly an identity assertion. For example, the card may carry a copy of the person's signature).

The term 'ID card' is very loosely used to refer to cards that are used both as tokens and as credentials. An ID card can be used for a very specific purpose, for multiple-purposes, or for general-purposes. There is always a tendency for a narrow-purpose ID card to drift towards wider purposes. The sub-topics below deal with the specifics. The following papers have addressed the general topic of cards:

6.2 National Identification Schemes

A comprehensive scheme to enable identification and identity authentication of a population is usefully referred to as a national identification scheme. An ID Card is one element among many in such a scheme. A number of papers have addressed the topic.

The primary papers are:

Other resources include:

6.3 Digital Signatures

During the 1970s and 1980s, an application of cryptography emerged that promised to enable the authentication of message-senders. A sender could append a block of text to a message, which was encrypted in such a way that the recipient could be confident that only the purported sender could possibly have generated it. The block of text was called (somewhat misleadingly) a 'digital signature', and the paraphernalia needed to support the mechanism was called 'public key infrastructure' (PKI).

The mathematics is wonderful, but unfortunately the idea as a whole is extremely difficult to implement effectively. The primary papers in which I analysed the problems and proposed solutions are:

The following papers examined particular aspects of the topic:

6.4 Biometrics

Biometric technologies endeavour to identify people, or to authenticate assertions about people, based on some physical characteristic that is, or is asserted or assumed to be, reliably unique. Most biometrics technologies don't work effectively in the real world. A very few – essentially only fingerprints and iris (and, in narrowly constrained contexts, hand geometry) – have any credibility. But even these have a vast array of quality and security problems. Despite this, business and government keep trying to implement biometric schemes.

Whether they are effective or not, biometric technologies are extraordinarily threatening to freedoms of the individual. My papers have summarised the nature of biometrics, and examined the wide range of myths that have been perpetrated and sustained by biometrics suppliers, their industry associations, and national security and law enforcement agencies.

The most important papers are:

Other papers and presentations include:

6.5 Chip-Based ID

A number of papers have directly addressed the question of the use of cards containing micro-chips as a means of implementing tokens (to assist in human identification) and/or credentials (to assist in human identity or entity authentication):


7. Authorisation and Access Control

A major use of (id)entification and (id)entity authentication by organisations is to control access to 'system resources' (i.e. software and data). An authenticated identity is allowed access on the basis of previously-decided authorisations (sometimes also called permissions and privileges). The process as a whole is often referred to by information security specialists as 'access control'.

The primary paper is 'A Sufficiently Rich Model of (Id)entity, Authentication and Authorisation' (2009-10)

Other papers of relevance include:

This sub-topic also encompasses the notions of user, loginid/userid/username, account, registration, pre-authentication, enrolment, single sign-on, and simplified sign-on.

7.1 Identity Management Schemes

Identity Management is a generic term for architectures, infrastructure and processes that support the authentication of assertions relating to identity, and the authorisation of access to system resources.

The area has been a muddle of technological, standards and competitive activity since the late 1990s. It will continue to be a muddle, because the majority of schemes, when evaluated against the model put forward in my work, fail dismally.

The most important papers are:

Other papers and presentations include:


8. Person Location and Tracking

(Id)entification and (Id)entity authentication are enablers of many things. One of them is finding people, and recording their successive locations, in order to support retrospective or (increasingly) real-time surveillance.

The major papers in this area are:

Other papers include:


9. Impacts and Implications

My analyses of the many aspects of human identity in the information era are generally pregnant with policy concerns and policy implications.

The most important papers in which the policy aspects predominate are as follows:

Other papers include:


10. The Future of Identity

I have published only a limited amount in the way of prognostications about the future of identity, and much of that is brief, and embedded in a scatter of papers. One specific aspect is outlined in a final sub-section below. The following text provides a brief indication of why I judge that next half-century is looking decidely unattractive.

During the second and third decades of the 21st century, a range of factors will conspire to threaten the fragile civil freedoms enjoyed in 2000 by residents of the more economically-advanced nations. The political power of the brigade of the self-righteous, who wish to impose their values on everyone else, will be strengthened by social turmoil arising from such factors as:

Law and order lobbyists and their allies in technology-providing corporations, aided by the corporatised, for-profit nation-states emergent from contemporary 'public-private partnerships', will make repeated attempts to impose authoritarian technologies and mechanisms, including:

Under such circumstances, the scope for free speech, and especially for opposition to authoritarian measures of the kinds listed above, will be much more constrained. Given the dramatic and entirely unjustified authoritarian legislation passed in most 'free' countries between 2002 and 2007 on the pretext that it was necessary in the 'war against terrorism', there is a significant prospect that freedoms associated with human identity may be insufficiently protected by political will, and may depend for their survival on technological failures, economics and institutional collapse.

10.1 Cyborgisation

Humans are increasingly being fitted and implanted with prostheses (which recover lost functionality) and orthoses (which provide additional functionality). Meanwhile, robots are slowly increasing in their capabilities. If both of these transpire to be trends rather than short-term phenomena, then the notion of human, and with it human identity, will progressively change.

I began my investigations of emergent reality in this area by means of 'Asimov's Laws of Robotics: Implications for Information Technology' (1993-94).

A more substantial investigation was in

These predicted Oscar Pistorius knocking on the door of Olympic competition in 2008 – as it turned out, correctly.

The impacts on human identity were the subject of a preliminary analysis in 'Human-Artefact Hybridisation and the Digital Persona' (2005).

See also 'Hybridity - Elements of a Theory' (2005).

Some years later, I examined Cyborg Rights (2011) (final version in IEEE Technology & Society).

I also considered aspects of the drone phenomenon that involve cyborgism in What Drones Inherit from Their Ancestors (Computer Law & Security Review, June 2014).

More generally, see Homo Roboticus and Roboticus Sapiens.



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 24 February 2009 - Last Amended: 23 November 2015 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/ID/index.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy