Back to school

Dave Birch has done an excellent job of describing a point that is oft-discussed in identity/privacy circles: that we in fact rarely need to identify ourselves. Government ministers bang on about how good citizens need to identify themselves many times each day. Utter poppycock. We need to prove entitlement to a service, or authenticate ourselves as the legitimate recipient, but we rarely need to identify ourselves. Please can we sit down with the policymakers and educate them on some of the most elementary principles of ID before they start writing user specifications for massive database systems? (Of course if we educated them properly, the systems wouldn’t be massive in the first place).

I get particularly annoyed when I’m asked for inappropriate credentials. Government offices will very often request a credit card so that I can prove who I am when going into a building. What exactly does that prove? That I’m capable of stealing a wallet or making a false credit card? My solution is always to respond to a request for an inappropriate credential with an inappropriate credential: my favourite cards are my National Rifle Association membership (that always leaves security guards with a dilemma) or my CLAS membership (a little piece of laminated card that in theory says I have security clearance, but in practice has nothing to bind it to the bearer other than a name on the front).

Of course the politician’s response to this problem is to day that it proves the need for an identity card. Oh no, it doesn’t. It proves the need for an identity metasystem, and that’s a very different beast indeed.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Maybe a different model is easier to understand for those people: you have one physical identity, but many electronic and paper ones (let's call them 'virtual' as a collective noun). You have a passport, credit cards, access card for your building - all those represent a collection of rights and obligations that in the end refer to the physical you. This is why terms like "identity theft" have to be used with care: it's rather hard to steal someone's physical identity without them noticing, in reality it refers to one of your many virtual representations. So, one physical identity, many virtual ones, each of which lead to sets of multiple rights, benefits and obligations. The issue process of such a virtual identity is mainly concerned with establishing the connection between the physical you and the electronic version: is the right person getting permission to get into the building, is this the person we have a bank agreement with, etc - this process can be simple or in depth. After that link has been established you are just a number. Biometrics, PIN, the way you look - all these just serve to confirm you're the rightful inhabitant of the virtual identity in use and thus entitled to the benefits of that. However, I found the reverse much more entertaining. Have you ever verified yourself if the person asking is entitled to your credentials? 9 out of 10 times they can't and rely on your social conditioning to not get that question asked. Use with care, though..