While Washington, DC may not have a lot of companies working on identity technologies, it certainly has a lot of bright people working on identity policies. This afternoon I got to hear one them, Jim Harper, speak about his research into identity and identification and his subsequent book, Identity Crisis: How Identification Is Overused and Misunderstood. If you haven’t read it yet, do so. It is an approachable survey of identity management and identification issues facing the U.S., set in the context of the REAL ID Act. (The short blurb I gave my mother-in-law about the book was enough to get it into her reading stack.) This wasn’t the first time I had the opportunity to hear Jim; Phil roped him into giving a keynote at Digital ID World last year.
There were two items I took away from his talk. First, Jim has an excellent analogy on how we protect physical assets versus how we “protect” electronic financial data. How many keys do you have in your pocket or purse? I’d wager it’s probably more than three. I’m also confident that you have a bunch more keys at home in the drawer somewhere. Each key matches up to an important physical asset: an apartment, a bike, a car, a safe, etc. In fact, you may even use multiple different keys to secure the same physical asset. Although convenient, I don’t think anyone would use the same key for every asset they own; just the idea of it seems somehow unsettling. Jim makes the point, if people don’t use a single key for securing their physical assets, how come we have (or are coming dangerously close to) using a single key, social security number, for “securing” all of our financial data?
Second, the point that credentialing, or authorizing, is just as important as identifying. At a point-of-sale terminal, merchants are primarily interested in can you pay, not who you are. Knowing that you are allowed to travel, but hiding who is doing the traveling. This smacks of both Dick’s Identity 2.0 talk and Bob’s talk on the Identity Oracle from last year’s Catalyst.
The question was raised what are the real opportunities that people have to opt-out of large scale identification. In reality, it is hard to opt-out of being identified and continue to fully function in society. There is a glimmer of hope in stronger identification systems allowing citizens more choice as what is needed to identify them. This sits somewhere between Kim’s Law of Minimal Disclosure and the Identity Governance Framework.
All in all, it was great to hear Jim speak and heartening to find parallels between identity policy and identity technology. I am concerned that too many bright identity minds are wrapped up in “enterprise” projects and have lost a bit of the wider societal view of the implications and impact of their work