• United States

The question of identity ownership crops up again

Jan 23, 20063 mins
Access ControlNetworking

* Who owns your identity?

IBM’s resident thought leader on identity is Bob Blakely. His actual title is IBM Tivoli chief scientist, but – to me – that’s even scarier than “thought leader.” What he does is to use his puckish wit to initiate, enliven or further discussions about important issues of the day. Blakely recently posted a note to his blog titled “On The Absurdity of ‘Owning One’s Identity'”.

Who “owns” a particular identity is a question that has bubbled around the personal identity arena over the past year, and shows signs of becoming a major question for enterprise identity providers as well as governments, organizations, and commercial establishments – especially when the IBM Tivoli “chief scientist” turns his attention to it. I’ve looked at this question a few times over the life of this newsletter (see “Does anyone own their own identity?”) but it keeps coming back.

Of course, asking who owns an identity is a lot like asking who owns a wergfedsan. You have to first define the term! Microsoft’s Carl Ellison (quoted in the newsletter mentioned above) says: “I suspect that each individual has an inherent identity, but that it is irrelevant. Rather, I define the identity of person P as being a function not I(P) but rather I(P,O,t) – the identity of P from the point of view of observer O at time t.” Blakely defines two types of identity: “your reputation (the story others tell about you), and your self-image (the story you tell about yourself).” Blakely’s “reputation” seems to have a lot in common with Ellison’s I(P,O,t) definition.

Blakely begins his long note by quoting from Kim Cameron’s first law of identity but it’s interesting to note that nowhere within the “Laws of Identity” that Cameron propounds does the verb “own,” or the nouns “owner” or “ownership” occur. Cameron talks about a user “controlling” their own identity. To be fair, Blakely also discusses the issue of control – and offers his opinion that it simply won’t work. Anyone at all interested in the ethical and legal ramifications of identity policy should spend a good deal of time digesting both Cameron’s and Blakely’s thoughts.

My position is that no one owns an identity, but people need to participate in any process that distributes their identifiers (any attribute value, or combination of attribute values, which can uniquely identify the person in a given context) – either actively or passively.

New product: Vasco Data Security has just released the Digipass 300 Comfort Voice, a device to provide strong online authentication for the blind and visually impaired. While its major thrust is the new-found need for strong authentication by banks and other financial institutions (see “Digital ID World attendees raise concerns over security guidelines for banks”), the technology could be useful in other situations. Mobile-phone user authentication comes to mind. Check it out for yourself, though.