thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Thursday, January 04, 2007

Identity Management Systems and the State from 1500 to 2008

The following is an edited part from my "Privacy, Identity and Anonymity" manuscript from the CCC congress. It looks like the official video of the presentation takes a bit longer to get online, and the inofficial recordings seem to have not recorded all sessions. Just making the slides available would not help, because we mainly used pictures and single words, which is hard to understand without hearing us. So you have to read.

As the sociologists have told us: Managing your identity is managing which roles you have in relation to different people and contexts. Corporate identity management systems have done role management for quite a while. They use role modelling for differentiating the several tasks their employees can take. Who can enter the premises? Who has access to which database? Who can authorize buy and sell orders for which amount of money? This is where the big players like Oracle, Novell, or Sun come from. They call it "provisioning" or "workflow auditing". In the end, of course, it is about controlling employees.

And this is one of the most fundamental functions of identity management systems: Control.

These ID vendors are now also trying to roll it out for the web. Here, ID management from the customer’s perspective (so-called "grassroots identity") is merging with ID management from the corporate perspective. The web companies are also working on it. Yahoo is doing this with is “BBAuth” service, Google is doing it with “Google Accounts”, Microsoft tried it with Passport and failed big time. They are now coming back with InfoCards AKA CardSpace.

Because of all these different approaches, big standards organizations (ISO, W3C, ANSI) have set up working groups on identity management recently. Expect some interesting standard wars here in the short run.

Looking back in history: Who was the first to establish identity management and identification systems? It was the early modern European state. At that time, the first laws were enacted that made it illegal to change your name without government approval. Now, in order to make sure to others that you are the person whose name you pretend to have, you need some extra proof. Normally this takes the form of identity tokens. First, they used to be official letters or seals, and later, we saw the development and spread of passports and ID cards.

The emergence of the computer then replaced names with numbers – social security numbers, tax numbers, passport numbers, and so on. But the idea is actually much older. Jeremy Bentham, who invented the idea of the Panopticon, also suggested that every citizen should have a serial number tattooed on his arm.

But even today, your tattoo is not transmitted when you go online. So, some governments now want to establish a certified, official link between your real physical identity and your online identity. Because this holds quite some potential for large-scale surveillance and control of online behaviour, a lot of people don’t like this idea. Especially in countries without ID cards, people still distrust the idea of mandatory online (and offline) identification systems.

So, what do you do as a security politician or a government agency that wants to establish a tighter infrastructure for control? How do you set up such a system? You start with groups like foreigners or criminals that get little support for their rights in the general population. US Senator John McCain has drafted this bill, which would force all convicted sexual offenders to register all their email-accounts and all other online identities with the authorities. And they are dead serious about this: If people fail to register, they will face up to ten years of imprisonment. Remember, this is not for raping someone, this is just for not telling the government all your online user names and pseudonyms. Can you remember all of the logins you ever created?

But welcome to Germany, the land of more advanced bureaucracy. The "E-Government 2.0" program, published by the German Interior Ministry in September, has an interesting chapter on electronic ID-cards and "e-Identity". They plan to issue an electronic ID-card from 2008 on, which will enable people to authenticate themselves online with their government-certified ID.

So in Germany, registration of your online identity with the authorities is not a “for criminals only” thing. It will apply to the whole population. And the private sector will love it, as it give them a better means to control their customers. In the end, we might end up with the government as the ultimate trusted third party or ID provider, and get a "perfect" ID management system that encompasses everybody. (Of course, according to democratic theory, you should not trust governments, but control them and limit their power.)

How will the government build the infrastructure for this? Well, they say they are currently working together with the private sector and some big IT corporations. And this is of course where "Identity 2.0", Windows Vista CardSpace and all the rest comelos into the picture.

The few critical contributions to the digital identity debate so far have largely focused on the privacy implications: How likely is tracking of people with these systems? It seems to me we should also think about the zoning aspects. Will the internet with an identity layer on top of it still be a space where we can more or less freely move around, or will it be divided into bordered national territories, fenced corporate playgrounds, and only a few open/outlaw places?


Anonymous Anonymous said...

hey ralf,
glad to see you made good work of our discussion. will send out the syllabus soon - more info on how it was being done back then in there.

take care


6/1/07 15:40

Anonymous Anonymous said...


14/5/13 07:04


Post a Comment

<< Home