Skip to content →

Category: digital

Root Identity: Mesh Identity

Published August 19, 2008 by cgerrish

Real ID Act

I blame the terrorists. The movement to create national identity cards was given fuel by the attacks of 9/11 and the subsequent formation of the Department of Homeland Security. The “concept” is that by issuing government sponsored official identity documentation we would introduce a control point in the process of differentiating “us” from “them.” There is a lively debate about whether such a system could be spoofed to somehow allow “them” to acquire identity cards and pass themselves off as authentically one of “us.” There’s no question that such an identity card would create a glaring single point of failure– the program meant to get the ball rolling is called the Real ID Act.

Personal identity is the sameness of a same person in different moments in time.

A simple frame for understanding the potential problems with the proposal requires focusing on the idea of the One and the Many. (those seeking extra credit can explore Hegel vs. Locke and review the STI’s white paper on Digital identity.) Can one national root identity be made strong and authoritative enough to be the foundation for all digital identity instances? In the future, will you have a single root identity provisioned by your government? Will you co-own your identity with your government, or will they have a 51% controlling interest when it comes to anything important?

Digital Identity is a man-made thing, an artifact, that refers to a person, and is different from a person.

An alternative vision is based on user-centric ownership and assertion of identity. The claims an individual makes to establish her identity and reputation are validated by many different sources, both strong and weak. Rather than a single root, the foundation is rhizomatic, or a mesh of validated relationships and reputation. A government issued identity card can, and does, have a role in the mesh — the question is whether it should be authoritative or simply continue to contribute to the whole.

Yes, but how does an Identity Mesh help us fight the terrorists? Well, no one thing will be a silver bullet. But you could argue that assembling a complete meshed identity across multiple active relationships would be more difficult than compromising a single authoritative root identity. The conversation about personhood and identity systems is taking place in the context of Homeland Security. The unintended consequences of selecting this tactic to enhance our national security are vast. Ask George Orwell.

As we discuss how to mesh together identity across social networks there’s a shadow falling from overhead. While the concept of a metaverse doesn’t seem in the offing, we are starting to create an augmented reality through the combination of these services. Identity will be at the foundation and creating that foundation will be a political process not a technical one. In fact, the political must limit the technical if we are to preserve the inalienable rights of our democracy.

One Comment

The Razor and the Blade: Kumbaya Economics

Published August 17, 2008 by cgerrish

There are a number of narratives located in the words “open source.” The most dominant narrative is the story about software development and maintenance through tightly coordinated iterations via inputs from a potentially unlimited and unbounded number of interested parties. The economics of open source require the diversification of the carriers of value from the traditional modes. I’ve purposefully begun this exploration with economics rather than the concept of free access to source code.

It’s the idea of “free” that has expanded to connect up with other “free narratives” to create confusion. It’s a kind of utopian vision: free beer, free speech, free love, free software. A binary opposition is generated that pits free + generosity against price + greed. The moral elements of the equation rise to the surface when comparing alternative software solutions. There’s a utopian narrative that has attached itself to open source software and simultaneously detached itself from any rational economics. It’s a story of free beer rather than free speech, and is utopian in its original meaning of “no place.”

Safety Razor

Chris Anderson has focused the conversation with his forthcoming book called “Free.” The emerging economic model he describes is woven from value transactions across multiple delivery and product modes– some free others at a cost. This blend results in a sustainable economic system. It’s the combined value of the whole set that matters, not the percentage of free delivery modes vs. pay delivery modes. And as we move further into the attention-gesture economy, the methods of payment will be more diversified as well. One-hundred-percent free in all modes, for all time, is simply a method of incurring debt. At some point the system has to come back into balance, either through the addition of a revenue component or bankruptcy. Hobbyist or enthusiast systems work through the attention-gesture economy, but so do services like The Google.

There are thousands of open source projects, but the ones that combine well with commercial projects are the most active and well supported. The number of active projects is actually quite small. Entrepreneurs are constantly searching for new combinations to produce excess value at viable margins. As products become more modular, value migrates to design. Apple’s operating system combines open source infrastructure with a highly-customized human interface. The combination creates superior value.

There’s a temptation to believe that all the players in a commercial market should contribute openly to the commons– that we should all come together and sing kumbaya. The fact that every new digital product will contain some form of open source module doesn’t change the competitive landscape. Companies may sing kumbaya, but they still wield the razor and the blade, and that’s as it should be.

6 Comments

Somewhere Philip K. Dick is Smiling…

Published August 16, 2008 by cgerrish

Philip K. Dick

Finishing up a few things before leaving the office on a Friday, I gathered some notes and papers together and stuck them in my briefcase. I hurried toward the elevator, the office was mostly deserted– I was running a little late. I pressed the down button to call the elevator, after a short wait the elevator arrived and I stepped in. My mind was racing, filled with the events of the day, planning the weekend, thinking about next week’s business trip to Austin. Slowly I became aware of a voice speaking out of nowhere. I was in the elevator by myself.

I recognized the voice, both the words and the sound. It was a junk phone call I’d received on my Google Grand Central account. Suddenly I realized that the elevator’s emergency phone system was getting a junk phone call from a robot. The robot was telling the elevator that it “should act now to renew the extended warranty on its car.” We now live in a world where machines are spamming each other. As the machines of the network gain more and more capabilities, I can only imagine that this kind of machine-to-machine behavior will escalate. 

As I stepped out of the elevator, I turned and suggested that it get on the national “no call” list for machines, and that extended warranties aren’t worth the money.

5 Comments

Shared Secrets: You Bet Your Life

Published August 10, 2008 by cgerrish

Groucho Marx: You Bet Your Life

Randall Stross lets the cat out of the bag in today’s Digital Domain column in the NY Times. The internet’s identity infrastructure is based on the use of passwords– and passwords are broken. And OpenID doesn’t solve the problem because the problem of passwords isn’t solved, rather it is extended. The single sign-on that OpenID enables creates a single point of failure for the defense of personal identity. Are you willing to bet your life on a single shared secret?

Most of the current internet identity work has been done on low value information. The question is will the infrastructure we’re building extend to supporting high value information? At what point will medical, legal and financial information be part of the larger identity ecosystem? Do we really want a single, unified persistent internet identity, or will a two or three tiered system of identity and authentication be created:

  • Low value: quasi-anonymous information
  • Medium value: blogs, social media, sharable
  • High value: medical, financial, legal

What’s the right number of internet identities? Robert W. Anderson suggests that I need an OpenID for each health provider, for exclusive use with that provider. By using different uncorrelated username/password combinations across high value information/transaction accounts I can create the strongest possible position within the shared secret authentication ecosystem. Microsoft’s HealthVault will be accepting OpenIDs as a Relying Party from high trust Identity Providers Verisign and TrustBearer. But even as we start to venture into the area of medical information, we haven’t left the shared secret behind.

Authentication artifacts or factors are generally described as:

  • Something you know (shared secret)
  • Something you have (security token)
  • Something you are or do (biometrics)
  • Location (not in two places at once)
  • Time (limited allowable hours)

A new factor is emerging based on social networks– a lot of low-value validated social connections could add up to a very strong authentication factor. The relationship card is a similar idea that establishes the value of an identity by the relationships bound to it. Clearly there’s a tie in to Vendor Relationship Management here.

Multi-factor authentication will require more than a shared secret; the real question here is about the human factors. What do we know about human behavior and passwords? Here are the top ten passwords:

  1. password
  2. 123456
  3. qwerty
  4. abc123
  5. letmein
  6. monkey
  7. myspace1
  8. password1
  9. blink182
  10. (your first name)

I’m somewhat surprised that “swordfish” didn’t make the list. Passwords and the shared secret authentication ceremony are a high friction point for users of the Network. The easier it is for me to remember and use my password, in most cases, the less secure it is. Even though it’s possible with most authentication systems to create a highly secure password, if I can’t remember it, I can’t use it. We’re in the early stages of imagining and building new identity architectures. Information Cards have potential to move beyond the current ceremony while building on a the wallet and card metaphor– but adoption seems to reside on the other side of the event horizon.

Ultimately internet identity and authentication ceremonies will be a social, cultural and political challenge. Systems can be built and standards can be established, but getting humans to use them is another matter all together. Evangelizing new identity ceremonies will be as simple and complex as answering the question: what’s in it for me? The Internet Identity movement needs to start taking a hard look at the human factors of these new systems. Richard Thaler offers this mnemonic device to recall the most important six principles:

  • iNcentives
  • Understanding Mappings
  • Defaults
  • Give feedback
  • Expect Error
  • Structure complex choices

The concept of Choice Architecture and the Nudge could play a large role in the success or failure of these systems. In the end, it will be humans who will either find value in these new identity architectures, or will, with a shrug of their shoulders, ask the community to please try again.

One Comment