There is a lot of talk about identity these days. You MUST remember that identities are like names. You are NOT your identity. Your identity points to you. Everyone has multiple identities. Roger Clark describes this as the difference between entities and identities. You are an entity. Your name, your role in the company, your relationship with your child, they are different identities. Multiples identities isn't just about having more than one email address or chat room nym. A multitude of identities is an essential component in protecting privacy and interacting in an exceedingly digital world.

When the privacy guidelines of the OECD were created, (over 20 years ago) we had main frames and no Internet and most of the personal information was collected and kept by governments, banks and very large institutions in big central computers and data mining this data was expensive and clunky. The notion of "data protection" and "control" made sense back then. They no longer do. With ubiquitous computing, decentralize databases, information stored and disseminated everywhere, it is exceedingly important to know that 1) once information is created, it exists forever and can not be "erased", 2) data mining will become cheaper and easier, 3) transborder data flows will become seamless, 4) profiling will become a common way for businesses and governments to efficiently focus their attention on people and groups that meet certain criteria.

What does this mean? The risk now is that you can be profiled and categorized in a variety of ways that can hurt your ability to travel, get a job, get insurance, get married, etc. for things that match a profile that increases risk to the establishment even if only in a statistical way. Interaction with radicals or reading of radical material could get you in this profile so the chilling effect on dissent will be real. It means that trying to "control information" once it is created is nearly impossible. The trick is to create as little information as possible and to make it as difficult to data mine as possible. If you need to prove you are old enough to drink, there should be an ID that does just that. The library doesn't need your national ID, just a membership card with a picture so they can authenticate you. If you're doing a cash/cash foreign exchange transaction, you should only need to prove that you have the cash or the underwriting of an institution with the cash to complete your end of the transaction. (Don't get me started on why I think money laundering laws are stupid. I'll do that in another post.)

My point is. We should have different ID's for our different roles. Each of these ID's will have a different bit of authentication and collateral attached to it.

If you deconstruct the different types of ID (got this from Eric Hughes) you get 4 basic types. Your physical ID (doctors knows this best), your network ID (phone number or IP address), financial ID (your bank has this info), and your legal id (government, school. IE are you married? A citizen? A graduate?) Different transactions require different attributes. If you're getting married, you probably care most about whether they are married to someone else. If you're doing a financial transaction, you are probably most concerned about whether they can cover their end of the transaction. If you are trying to identify a blogger, you probably care if they are the owner of the URL. You don't care if my real name is Joi Ito or where I live exactly. As a blog reader, you probably care if it is the same blogger that has posted all of the other blog entries on this blog.

That's why I have a problem with central ID systems. If some gives me a certificate from Verisign that says, "I Verisign assert that this is Joe Shmoe from the Canary Islands and I Verisign do not guarantee or offer any liability coverage if he hurts you or even if it turns out that he's not REALLY Joe Shmoe." How much use is that? Even if he IS Joe Shmoe, I don't care where he lives if I can't do anything about it. I'd much rather see a link from a blog that I know saying, "this Joe Shmoe and I vouch for him!" Or go to a party and have everyone say, "you should meet Joe Schmoe, I've know him for years and I think he's great." Or if I'm trying to have a financial transaction, have his bank provide my bank with a guarantee. You get the idea. The only people who need access to your "entity" are people who have the power to throw you in jail or need to collect on long term contracts and liabilities. for MOST transactions, your physical location is not relevant or useful.

The other important thing from a privacy perspective is that you don't want all this stuff getting linked together. Organized crime is already using personal information to blackmail people. One common "query" is, "find me all company directors who are in debt and have families." They buy these liabilities and "collect" using blackmail. Your "I'm a papa" ID and your "I've borrowed money" ID and your "I am a board member of Foo. Co." ID don't necessarily need to be linked. Life would go on without these links. Yes, it would slow down projects like TIA and yes central id's are convenient, but traditional investigative crime fighting has more tools than ever before without making it so easy that criminals can use it and political groups in government can abuse it.

In Japan there is a left-wing newspaper called Akahata. The list of subscribers is tracked by the police and leaked to big company HR divisions. If you subscribed, you often can't get a job at a big company. If your parents subscribed, you can't become a public prosecutor. Now imagine that they do this by hand now. Imagine what would happen if they could instantly come up with "negative profile queries" and "filter." What you read today, write today, who you meet, have lunch with, post on your blog and later erase, where you wandered, who you rented your apartment too. They could ALL cause you children to be "filtered".

There is another issue. Identities are easy to forge. You can make the technology as robust as you want, but the chain is as weak as the weakest link. Biometrics on a ID card only prove that you're the one that the card was issued to. It doesn't prove that the issuer issued it to the right person. (Good article in The Register about this. Thanks Peter.) The point of data entry is still VERY weak in most systems. Over 10% of Canadian SS#'s are fake. These centralized ID systems to be used for "everything" increase the value of compromising the point of entry into the database. The better architecture is a variety of ID's suited and designed for specific types of transactions and interactions with a distributed network of authenticators and points of data entry.

If you need an id with biometrics and for financial transactions, a bank and a hospital should jointly issue ID's. This would be much more robust than some biometric ID issued at some government office.

Anyway, I rant and rave about this stuff in my "privacy experts" circles, but I realized that I hadn't ranted here recently. So as we think about FOAF, cameras pointing at my face, location moblogging, it is essential not to forget that WE need to be in control of what information we create and how this information is tagged stored and authenticated. Peer-to-peer / end-to-end thinking is essential for privacy as well. Make client software that collects information from catalogs and locally recommends stuff to you, not central servers of user profiles. Empower the people, not the merchants and the governments.

Got the idea for the title of this item when acrobat told Anita that she wasn't Anita, but that was her name. ;-)

36 Comments

I wonder if you can buy gift subscriptions for Akahata. :-)

This is a non-trivial problem, and intuitively I feel the multiple ID technique is a temporary workaround, not a long term solution.

Two major challenges come to my mind: 1) aggregation and inference of information from the 4 atomic types of ID can expose the entity; 2) the legitimate need to access more than one ID type in a single transaction

I really don't know how "empowering the people" would help though. Fair and explicit regulations (laws) regarding the management (collection, access and storage etc) of personal information and a transparent identity management framework seem required here, not playing cat and mouse with the government, corporations or whatever.

Dirk (who subscribes to Akahata and has a family member writing for them... see you at "Hello Work" soon :-)

Dude,
You used a buzzword without defining it: OECD. But besides that - right on.

I know on one side we don't want to link up identities, but what if you WANT to link up identities? As long as we put on the right controls, we 'should' be able to keep out the regulators, pay collectors and bible salesmen - while uniting artists, resume publishers and social scientists.

Remember this ID game has been going on for a long time - from the moment you're born - a SS # is stamped on your head. So any attempt at establishing new ID systems, must take into account all that has transpired so far.


Multiple IDs (or avatars) is the way to go. It's the only model that models the real world.

Dirk : I guess I disagree. You can make databases that use fingerprints where you can authenticate with a fingerprint, but can't then use the fingerprint to figure out the person. The 4 basic types are components of authenticating or are attributes of identities. Also being able to interpolate costs money. Have a single searchable number is scalable and easy. The key is to make it not "pay" to data mine. It's all about cost performance.

As for requiring more than one type of ID for a transaction. I totally agree. I think that you should have levels of ID. You can have your bank and your doctor and you bank and other people able to authenticate parts of your ID get bundled together to create meta-ID's with the necessary attributes for the transaction. This meta-ID can be meta-data. IE your doctor asserting the he knows you and knows that you are healthy and fit to be in the Army, without going into detail and making more difficult for the Army to compile a detailed database without high costs.

My point about SS#'s is they are used to profile people, but all criminals have many SS#'s. It's easy to game the system if you're trying to do something bad and difficult to escape it if you're a good citizen.

Back to Dirk... I don't think that you can "manage" information well with laws. You have to create computer architecture that makes it difficult or impossible to abuse this information and the way to do this is decentralization and segregation.

Back to Marc: I agree. You should explicitly link ID's and make things public under your terms. It's information about you that you don't know that's dangerous. I know I have this silly camera pointing in my face right now. That's fine with me. I would hate to have a camera on my that I didn't know about.

Marc: OECD stands for Organisation for Economic Co-operation and Development which created the guidelines for privacy that are the basis of many of the privacy directives and regulations today.

Joi,

no offence, but your reply is that of a technocrat: "create a computer architecture" to solve your problems. Are you serious? Problems with privacy are the symptoms, not the illness. Systems won't solve these problems. Admittedly laws aren't the answer to everything, but they are a good means to change people's behaviour. And people are the real cause.

Your fingerprint example is illogical. You cannot grant a privilege to an attribute of a person without knowing who that person is. First there is the person, then his attribute. I cannot authorise Joi Ito's fingerprint without knowing that it belongs to Joi Ito. There is a genuine need for accountability and audit trails, it's not all evil you know.

I think you slightly misunderstood me about the dual ID requirement. Let me illustrate: Your medical ID is of no interest to your banking environment. Easy. But your legal ID is definitely of interest in your banking environment. A legitimate need. So two IDs have become one. Back to the doctor: he has a need to link to your health insurance ID. Again two entities know more about you than you have originally intended. The chains may get longer and eventually become closed circle (say, your health insurance company is also your bank).

Your system will prevent none of it, in fact it will gradually break down the more interconnected it gets, that's why I think it is a dream.

Dirk

Dirk: I agree that you need laws to influence behavior, but it is the architecture and the code that will either make it easy to abuse or difficult. Even if you have laws, making it difficult will tempt people less and make the cost performance of abuse cause abuse to be less likely. You need BOTH.

For example, there are fingerprint databases used to authenticate people for services in Canada and other places. The fingerprints are stored in a way so as with one-way hashes, it is possible to prove that a certain finger is associate with a certain IC card, but one can not recreate the fingerprint from the data or compare the authentication data with another database of fingerprints. Instead of storing the fingerprint data itself, you store the fingerprint information hashed or otherwise made irreversibly linked to the specific authentication system at hand. This makes the database useless to someone who is trying create some other database with this information.

Linking ID's do not make them one. It's the cost and the ease of linking systems that helps prevent their abuse. You must make such links and cross references deliberate and difficult. When it is required, auditability and linkages should be allowed. What should not be allowed is open ended architecture which says, "lets collect this information in case we need it in the future," or "lets use the same numbering scheme in case we might want to mash it together with some database in the future." I truely believe it is better to err on the side of not having enough information vs. having too much.

For example, when Mizuho Bank tried to merge its accounts it was a total failure. It cost billions of dollars and they were unable for months to do this. Merging and sorting data is a very difficult task, which is becoming easier, but is quite difficult at the moment. Theoretically, what you say about "we've lost our privacy already" is correct, but if you consider cost and easy, the point is to not make it so easy that it becomes something common.

Organized crime is a business. Businesses have business plans. It all revolves around cost performance. Making it easy, lower costs and increases risks.

Same with governments. If the US government could go to the Japanese foreign ministry and say, "I'd like a list of all of the 'terrorists' in Japan and here is their profile." If it cost a billion dollars to do the profiling, I'm sure the ministry would say, 'we can not do that." If it was a matter of doing a few excel spreadsheets, I bet the ministry would say, "here are the 5 million people who fit that profile." It's not black and white, but you MUST "lean into it" otherwise our privacy will wither away more quickly than it currently is.

Joi, there's a missing point. The multiple identities in one field. I have this problem all the time, which is very annoying.

Here on this weblog I am Karl Dubost, La-Grange.net (which is not me but a part of me).

In certain circles, I am Karl Dubost, W3C Conformance Manager.

The only way I have to distinguish who I am now on the Web is to sign or/and send comments with a particular address.

Karl La-grange.net, individual person at his home is writing with karl@la-grange.net and http://www.la-grange.net.

Karl W3C, conformance manager at his workplace is writing with karl@w3.org and http://www.w3.org/People/karl/.

One issue of that is journalists who have a tendency to forget and do not respect that, except a few ones I know. People don't notice that this kind of errors about the identity of the person can be very very damageable for the person: Trust, lost of job, etc.

In terms of the general identity and the profiling. The problem is not necessary the fact that all the people knows about your identity or have a profile of your identity. I'm not naive, some organization have the power to do it already and they do it.

The problem is about the use of that information. Does someone with information about me can act against my will and be harmful.

In a small village, the privacy almost does not exist, in a family it's even worse. But at the same time, people have usually not so much differences in terms of power, so we are able to live in such small community. If someone gets too much power, usually the rest of the community will act against it because the power is immediately accessible (not always true though :/)

Now people think that if they are in a city, they are anonymous and protected by the numbers of people around... it was almost true, it will be less and less true, because of many things, encounters with other people, Cameras cellphones, weblogs, etc.

Exemple: You have met a friend in the street this afternoon, you come back, you tell the story on your weblog. Your friend didn't tell you that he was having a love affair and was supposed to be elsewhere. The wife of this friend is reading your weblog and find out. You had an influence on the freedom of someoneelse.
This is true for someone and a job, for someone and medical problems, etc.

The information and its use becomes something which is more and more interesting.

The irony is that now to become anonymous you better to go back in the country side and be known by a small community away of the hype of the city.

One thing I'd like to mention is that when you try to granularize identities is that it's an attempt to eliminate unnecessary information bleeding into relationships.

What is not taken into account is that information from those other "identities" has been beneficial. If someone knows "Joi the blogger" but nothing else, it cause you to miss out on possibilties if they knew you as "Joi the entrepreneur".

This is also like the "freedom" we enjoy in the United States. With that comes inherent risks but to try to eliminate those risks means curtailing certain freedoms as well. This all boils down to Karl's last statement.

You're not your fucking khakis.

Sorry, couldn't resist the Fight Club reference.

Once you divorce yourself of a connection to 'your' identity, things get easier. Welcome to the underground, the black market, political resistance networks, and all the fun stuff that identity hackers have been doing for decades, centuries, and so forth...

Tyler Durden

Dirk: Why does my bank need to know my legal ID? If I deposit cash in my account, all they need to know is that (a) it isn't counterfeit and (b) they can authenticate me as the owner of the account. They don't need to know who "me" actually is. (And in fact many countries have built entire banking industries around *not* knowing, and therefore not being able to tell others.)

Non-cash deposits actually take place between banks, with the bank on either end verifying that a particular instrument represents real money. Again, neither bank necessarily needs to know who its own customers are, much less who the other bank's customers are. One of the original functions of banks was to serve as trusted intermediaries between non-trusting strangers, after all.

Karl: I think some blurring of the lines between identities is inevitable. I have at least three distinct web identities. Though I try to segregate them for convenience--so that my work-related email shows up in my work account, for instance--some blurring is inevitable. I'm not convinced that's a bad thing. If your friend is worried about getting caught having an affair, well maybe he shouldn't have had the affair in the first place. If you're worried about your private opinions coming back to haunt you at your job, maybe you should find a less uptight employer. When everyone is equally vulnerable to identity blurring, the culture will adjust to deal with it.

Hashes for fingerprints: they are really keyed hashes, of course.

On linking ID: There some types on link and ID, and this enable fine-grained control. Poople working on ID Federation specs know better.

  • Link Types:
    • one-way link
    • two-way link
  • ID Types:
    • permanent ID
    • semi-permanent ID
    • long-lived ID
    • short-lived ID
    • session ID

Real world problem 1:

Too many people in Japanese Government are posessed by the "one stop service" hype, where people send all application forms to the single "e-Government" site and then people don't care how their personal information is processed in the back-office and shared among governmental organizations. Bureucrats even dream that many private-sector services are integrated in to "one stop service", and that all information is shared.

Real world problem 2:

Filter. Bureaucrats, business people in large companies, and main-stream academic people in Japan usually dislike the assumption that the government may act as an adversary against people, and then often filter ideas which include such assumption, and even people who insist on such ideas.

Even in the community where people are talking about security and privacy issues, such a filter influences people. Hiromitsu Takagi, who recently raised privacy issues on RFID in Japan, attacked me in this reason. He raised the issue that outsiders can invade privacy exploiting weakness of cheap RFID tags, each of which always replies the same (encrypted) ID. I praised him and raised insiders' issue. Then, he attacked me and wrote that he does not want to be regarded as a "left-wing brain-damaged activist" and that he need to differentiate himself from such people ;-)

No one's mentioned David Brin's Transparent Society yet (one-line summary -- chill out about your own privacy, as long as you're sure those with power ain't got none!). Even if you disagree with it, there's valuable perspectives in there.

I laughed when i saw the title of this post. I've been to tons of workshops, and for years now i've been very consciously saying "My name is John" and hearing others say "I am ". It's a subtle but important distinction.

"The map is not the territory." --Alfred Korzbyski

Katherine wrote: Why does my bank need to know my legal ID? [..] They don't need to know who "me" actually is.

In an ideal world with no criminals, the above would indeed be true. Unfortunately, money laundering is a real issue, and most jursidictions across the world have thus enacted "know your customer" regulations which require banks to conduct a reasonable amount of due diligence on their clients.

See e.g. http://www1.oecd.org/fatf/NCCT_en.htm

Katherine: You said: "I'm not convinced that's a bad thing. If your friend is worried about getting caught having an affair, well maybe he shouldn't have had the affair in the first place."

In this statement, you make a lot of assumptions which goes from morality, choice of life to the statement "if I do nothing bad, I don't have to worry".

Let's take another example less controversial for you. You have contracted the HIV (AIDS) because you had a blood transfert 6 years ago. You follow a treatment and you are going to a special center for that. Same scenario, someone is seeing you, come back home, blog about it. Your boss is looking on the Web or your friends, you didn't that to be known but it's too late. You may even be fired with another reason for excuse.

Life is not as simple, you can have secrets, you can have moral choices that do not comply with other people choices, etc.

Ed: Excellent point!

What you are trying to achive is to avoid a unique identifier. If you are a biometrics-believer, then you have not taken into account that your biometric template (or its hash) is such a global unique identifier (not 100%, but close enough). I am not familiar with a keyed hash mentioned by Sakiyama-san, but that makes only sense when keyed at source, i.e. the entity that is trying to protect its identity. That means a key for every other entity you interact with! Getting hairy. Furthermore it does not resolve what I have said before: the other side will not be happy with your keyed hash fingerprint on its own. At destination it will have to be attached to something else about you, the "real" data like your address etc.

And I maintain that two IDs will merge if the real data matches (two biometric hashes, one address negate the seperate hashes, because now you have a common key).

Apart from all the technical discussion none of the arguments convince me why I would want anonymity or a degree thereof. It's an obvious flaw trying to design an unbreakable system, you will not succeed. The objective is to prevent abuse of personal information. A privacy law which says something "store only what you need for this activity, store it safely, don't share it, destroy after x years" (information lifecycle management) is what we need, not a real-life role playing game. If you read the Register article about the Belgian ID scheme, you realise that they collect only a limited set of info. Then you dentralise it, sperate from other scheme (inefficient, but that's the point to ensure privacy). Then you make a law that prevents sharing. If someone is found violating it, penalise. So maybe a better objective would be to design a scheme that prevents or detects that information has been shared (just ask the RIAA, sure they have some ideas).

By the way Joi, I have got this great investment opportunity with a friend of mine. But he's not going to tell you his name, address, financial circumstances. He can leave his fingerprint though! Contact him by leaving out a package with the next incombustible rubbish containing your payment details. Cheers mate.

How on earth is an avatar scheme mirroring the physical world, as someone has stated? On the contrary, trust and confidence is built on reliable, consistent and static information (coming back to Ed's very valid point).

Dirk

Let me clarify my position. The point is to try to protect democracy and check against the centralization of power. Power gains power by making its activity secret and hamper those who attempt to check power by controling activity that threatens the power. There should be transparency in order to check power and raise issues necessary for democracy to the surface. My "privacy concerns" are not about whether I'm embarrassed, but more about large groups of people being discriminated against or a chilling effect causing a stilfling of public debate due to an inability to question authority. I believe that profiling on a large scale by the government or other "power" should be hampered, even at the cost of efficiencies and law enforcement.

My other point is that many data collection techniques and identity technologies that are put in place to track and audit criminals are easily gamed by professional. The ability for law enforcement to use such systems is poor and the result is loss of privacy without much gain in the ability to track terrorists or professional criminals. In fact, often the opposite is true, since you get a false sense that things are being tracked just as firewalls give you a false sense of security and cause people to write poorly secured code for "inside the firewall."

I agree that there are many cases where your entity has to be disclosed. Entering into any long term relationship, an investment, a loan, a marriage requires entity authentication.

Many transactions should not require this. Renting a movie, borrowing a book, requesting the government to clairfiy a low, a request for information from the government, whistle blowing (at least initial contact), consultation for sexual harrassment, AIDS tests, drug addiction therapy, etc. There are many technologies that enable such identities to be useful without linking them to your entity and these instances should be considered and made available.

"It's an obvious flaw trying to design an unbreakable system, you will not succeed."

"unbreakable" is difficult, but all I am trying to do it make it more difficult and more costly so that it doesn't happen on a large scale at a low cost. No sense it making it easier for people to have their information abused.

John Abbe : I like the transparent society idea. I guess my point is, if it is totally transparent, it might make sense, but those in power must first make themselves transparent so we processes can not exist in secrecy. Once secrecy is gone and democracy is in place, transparency makes sense too since anyone trying to abuse the system will soon be found out. The problem I have is that it appears most governments feel that they have the right to secrecy whereas individuals do not. This is like disarmament. It has to be bilateral.

I think the "ideal society" is a great idea, but a ways off.

OK, we're getting closer to the real agenda here, which I still believe is flawed and I am surprised how you can still maintain your position.

You demand transparency for the currently opaque (government), and opacity for the currently transparent (citizens) and a few lines later proclaim "transparent society" and bilateralism.

Books and movies: you seriously claim that renting or lending anything of value to someone whose identity you cannot be certain of is reasonable.

"requesting the government to clairfiy a low [sic], a request for information from the government, whistle blowing (at least initial contact), consultation for sexual harrassment, AIDS tests, drug addiction therapy, etc."

These are basic principles of a free society, the nuts and bolts. No technology will achieve a free society. Technology can be a tool in the arsenal to maintain it, but not the means to get it.

If you cannot criticise your government openly, fight institutional harrassment, feel safe from discrimination due to race, medical condition, sexual orientation, political and religous beliefs and the like, your problems run far far deeper than a lack of privacy. The system is so corrupt that you have to rebuild or replace it, not patch it with some fancy-sounding biometric and avatar trickery.

I get the feeling you are in love with fighting a war and preaching technology as your magic weapon that cures all evil, instead of contemplating why this war is being fought at the first place. Meanwhile you ignore that a society is shaped by its people and their values. Work on shaping those first, get people to believe that protecting from the things above is important, that freedom is normal and desirable. And that, to a large extent, people can trust your government. Oh yes.

Why is there no discussion about trust here? You are only talking about suspicion and distrust. How you bring good, and they are bad. Security and risk are all about trust. This lack of trust in a relationship is unsustainable in the long term, which as a businessman you really should know better.

Dirk

MostlyVowels: Know your customer laws serve a government purpose, not a banking purpose. I think it's important to distinguish between the two, especially when talking about privacy and identity issues. For example, what rights does the bank have to the data it collects in support of a law enforcement purpose? Is the invasion of legitimate banking customers' privacy really necessary to prevent money laundering, or are there better ways?

Karl: Yes, I know about the possible abuses of personal data that can happen. My point is that an armed society is a polite society: I'm less likely to dig into someone else's secrets if I know they can dig into my own just as easily. I'm less likely to tolerate abuses of private information if I know I could be the next victim. Hence, society will develop new norms around what is and isn't private, and what can and can't be done with private information.

I still don't have much sympathy for your hypothetical friend who got caught having an affair, and my lack of sympathy has nothing to do with the morality or immorality of the act. See, I grew up in a small town, where everyone knew everyone else's business. It seems obvious to me that my various circles of acquaintances are inevitably going to overlap and talk to each other, possibly about me, unless I take specific steps to make sure they don't. Blogs have given gossip a wider audience, but gossip itself is probably as old as humanity. It's a global *village*. Deal with it.

Dirk : I am fighting for much more just than technology. I fight inside and outside government to build a better democracy in Japan on many fronts, privacy and technology being one important component or tool in the arsenal as you say.

Trust is very important, but I trust people, governors, friends, communities... not institutions which have no accountability or that hide behind secrecy. You must ALWAY question authority. That is the reason we have distribution of the branches of government. Trust must be earned and trust should be for the trustworthy. The Japanese government does not have my trust, but I work closely with the government to try to ensure its proper functioning as much as possible. I don't hate the government, but I sure don't trust it. No one should trust it unconditionally.

I think pure anonymity is a great solution, but when you can't get that there are still big advantages in splitting up the authority. Consider this bit of irony: in the United States you usually need a driver's license to buy alcohol. Yes, most don't drink and drive, but it's still an odd connection.



Splitting apart bits of our identity is already being adopted by some US banks as a security precaution. New US credit cards come with a three digit security code printed on the back of the card. This number is supposed to be used only for online transactions. Stores that touch the card itself don't record this. Creating this online-only PIN prevents clerks in the stores from stealing the credit card number and using it online. Their databases don't have this bit of information.



This is a very simple example, but I think splitting identification into smaller parts can add many practical obstructions for people who want to abuse the databases. I like to frame this as a security solution instead of a privacy one because everyone seems to use security as the root password to their agenda. I think it's common for the more security-minded people to routinely split apart access to information as a way to limit damage.



There are a few simple ways to implement this and a few more rococo solutions. One of the most extreme solutions binds all of the information into one digital ID, but allows you to reveal only parts of this information as you choose. You could reveal your age to a liquor store but not your driver's license number. Your doctor could get your medical insurance number but not your social security number. Etc. It's pretty fascinating.






Comment #1: This is my first post to a weblog. Ever.

Comment #2: I agree with Joi and Roger's characterization of identity.

Comment #3. I disagree with Joi and Roger that the OECD Guidelines do not reflect an understanding of the importance of multiple identities. In fact, one of the best
reasons for regulating the use of data by Organization A
is so that a person can maintain a separate identity with
Organization B. This was all well understood in the early
days of privacy protection.

Comment #4. Democracy requires multiple identities.

Comment #5. See comments #3.

Regards,

Marc.

Mark, good point about OECD. I guess my question would be that isn't there still too much emphasis on data protection as if you could do it after it was created, rather than on the process of not creating it?

Joi,

well, in this discussion we have come a long way from some glamourous, anonymous, biometric avatar fantasy to discover a fairly unspectacular reasoning of a "reverse need to know" policy to give everyone only what they are entitled to handle, for a given purpose. Everything else is outlawed. If you want to call that multiple identities, up to you. It is solid privacy legislation and practice elsewhere (hint: it's not the US).

I do question authority, and given your purported public involvement in these matters I also have to question you.

Previously I was concerned about two things. Firstly, that the Japanese government is unable pursue change. Secondly that the Japanese electorate would not penalise any wrongdoings. Now my third concern is that the people who are genuinely interested in change, and probably less technologically aware, are led to believe, that the techno-babble we have initially seen here will solve their problems.

Dirk

Dirk: I am probably more of a trouble maker than an "authority" to those in power, but you SHOULD question me and you are questioning me so I assume we're OK on this issue.

I would have to disagree along with many privacy experts that, "It is solid privacy legislation and practice elsewhere" See our report.

I think the "techno-babble" about how a national 11 digit ID will help Japan become a leader in e-Government and will help make our lives more convenient and happy is the disinformation. I'm trying to point out the risks that many of the current government and commercial initiatives pose to our privacy and in turn our freedom and democracy. Call it "techno-babble" if you want, but I think it's the people who are ignoring the risks who are babbling.

I'm sorry to clarify that my disrespectful term techno-babble was referring to you, actually.

As for how much privacy is "sufficient" is debatable and subject to opinion, beliefs etc., and, maybe surprisingly after my long postings here, of minor interest to me. My aim was to deconstruct your proposed mechanisms.

Thank you for this dicussion.

Regards

Dirk

PS: And thanks and apologies to those who followed the link to my pages, only to find out it is completely unrelated and trivial. :)

This is a great discussion. I agree with Joi that we all have multiple identities that manifest in different contexts. Sometimes those differing identities may cause each other difficulties.

The issue is not that technology can solve our problems as much as it is the current situation that technology is the cause of the privacy problem in the first place. There are so many data bases that connect our human transactions in the world that the system sees us as one conglomeration, not our seperate identities.

As an example: In the professional environment I manifest as a security professional. In that environment I deal with a very conservative and often insular group of people. Being "different" is not the norm.

In postings above there was reference to someone having an afair. That example caused a variety of responses, but a better example may be an individuals religious or political orientation.

Outside of the professional environment I manifest an identity that has a significant interest in religious freedom of expression for Tibetans who are currently oppressed, often violently, by the Chinese government.

Now as a professional, I may want to interact, possibly travel to China and do business in the future. In fact, I believe that interacting and being in relationship among nations through business, cultural exchange, etc., is the best way to open communications and gain mutual understanding.

However, the government of China may not be so inclined to allow me (that is the professional me) entrance in the future if their data base indicates that the (personal/religious) me that technology conglomerates into a single entity, is a subversive against the Chinese people and therefore I am denied access, or possibly allowed access and then followed and arrested as an enemy of the state for talking to the wrong individual. (Not just a hypothetical scenario).

The privacy issue crosses national borders. The internet has created a global village whether we like it or not.

It may be a pipe dream, but it would be wonderful if technology could solve the problem that it currently creates. The discussion, and the search for a solution, is an important one.

David

Dirk, it was clear that the "disrespectful term techno-babble" was refering to me. I was just trying to assert that it was those who were pushing simple solutions without privacy concerns where the ones who were babbling.

Did you all see the Technorati claim your blog function? Very good from an identity management persective.

m Ed on July 16, 2003 11:38 PM | permalink to comment



Ed: One thing I'd like to mention is that when you try to granularize identities
is that it's an attempt to eliminate unnecessary information bleeding into relationships.
What is not taken into account is that information from those other "identities"
has been beneficial.

The benefits of information "bleeding" between various identities might be outweighed
by the risks. Every individual should be able to consciously authorize whether to allow
this bleeding or not. This is why it is important to have well-segregated identity
registries which make it unpractical to sonsolidate information about you, leaving
*you* in control.



Joi: My "privacy concerns" are not about whether I'm embarrassed, but more about large
groups of people being discriminated against or a chilling effect causing a stifling
of public debate due to an inability to question authority.

I wholeheartedly agree. I'm hoping for the emergence of an architecture based on temporary,
untraceable but *unique* IDs for each human. Such unique IDs could be useful when conducting
e.g. on-line referendums, polls, dicussions etc. whilst ensuring that a human doesn't
swamp or distort results by faking multiple persons.
A Trusted Third Party TTP could perhaps synthesize a unique temporary ID based on
individual data, e.g. your government-issued ID card number, or your driver's license,
or biometric data hash... The temporary ID could then be used to sign your messages,
and the poll administrator could then query the TTP to ascertain whether a temporary ID
(or certificate) is valid, whilst being unable to determine the real identity of the
signer. The idea is similar in concept to the SET protocol used for on-line credit
card transactions. The seller doesn't know your credit card number, the bank certifying
the SET transaction doesn't know what you buy, and information segregation is realized.

The TTP should record that it has issued a temporary ID for a particular unique entity,
and ensure unicity by affirming that it won't issue another temporary ID associated with
an entity before the temporary ID expires -- e.g. after 1 year, -- or is revoked for some
reason.
To make forensic data conflation more difficult, all information about temporary IDs -- e.g.
backup media -- should be destroyed after a temporary ID's validity period expires.



Dirk: Books and movies: you seriously claim that renting or lending anything of value
to someone whose identity you cannot be certain of is reasonable.

Why not? Lending/renting is a pure economic transaction. The renter just needs a
reasonable assurance that a way exists to recover a potential economic loss. This
can be achieved by a mechanism similar to a credit card. A financially trusted
entity like a bank can vouch for the solvency of the renter: "yes, we are confident
that Mr. X has the financial wherewithal to be able to compensate you, should he
damage or lose the movies he's borrowed". There's no fundamental need to disclose
the customer's ID to the renter.



Katherine: Know your customer laws serve a government purpose, not a banking purpose.
I think it's important to distinguish between the two, especially when talking about
privacy and identity issues. For example, what rights does the bank have to the data
it collects in support of a law enforcement purpose? Is the invasion of legitimate
banking customers' privacy really necessary to prevent money laundering?

That's a difficult issue. The law indeed serves a government purpose, but one could
also assert that assisting in the implementation of fraud and crime prevention would
ultimately be beneficial for the society at large, the banks and for their non-criminal
clients...



Dirk:
Why is there no discussion about trust here? You are only talking about suspicion and
distrust. How you bring good, and they are bad. Security and risk are all about trust.
This lack of trust in a relationship is unsustainable in the long term, which as a
businessman you really should know better.

I think History is riddled with examples of how human government and institutions are
prone to act in such a way that effective accountability doesn't exist. The potential
for significant damage before corrective measures are implemented is a wholly sufficient
reason, IMHO, to maintain a healthy amount of distrust towards government.
I certainly do *not* believe, fo example, that the *individual* interests of bureaucrats
and elected officials is necessarily aligned with mine or the nation's interests. Why
should I then trust them?

Joi Ito: ...if it is totally transparent, it might make sense, but those in power must first make themselves transparent so we [sic?] processes can not exist in secrecy.

Okay, except why does it depend on them making themselves transparent? Or rather, what can we do to help them along? My preferred strategy is that through non-coercive means they decide to do it willingly, but frankly i don't see it as terribly coercive if people find ways to uncover what "powerful" folk are up to, especially if those powerful folk have formally (or informally) applied transparency to the general populace.

Joi: I think the "ideal society" is a great idea, but a ways off.

So you don't have hope for sufficient transparency in the near term? (and this particular work of yours is about ameliorating short-term damage?)

It seems to me that sufficient transparency could be achieved within 10-15 years. What do others think?

As long as you've brought up "ideal society", the deeper issues i see here are to decentralize power so that it's not so important what a particular group of people decides, and most of all to generally heal our nearly pan-cultural beliefs that lead to people doing so much crappy stuff. This i can imagine taking more than 10-15 years :-).

John : I agree. Those in power will not change themselves. I also agree with you the decentralization is the deeper issue. I'm a bit pessimistic causing change in the short term on this issue. I think it requires an uprising of the people or some sort of "revolutionary" action to disrupt power like the power that is in place in Japan. Having said that, on a 10-15 year span, almost anything can happen. Although I am pessimistic, I am pushing for change on a variety of fronts. our panel at Davos focused on this issue.

(Sorry for straying off from the privacy discussion.)

I think the notion of one total identity will fall by the wayside, at least for most of society. It's just too inefficient for someone to read a dossier before making a business decision. Identity theft and other tricks also make the system incredibly fragile.



For instance, imagine buying subscriptions of Akahata for people. If giving someone a "gift" subscription is enough to have them blacklisted from jobs, I wouldn't be surprised if people are doing this with malice aforethought.







Joi:

Are you sure that the people (businees people) who are at Davos really want to change the world. I remember five years ago, one of the comment of Davos was: "The best investment for our companies now is to fire people". The problem with the industry and the business is that individual humans are considered as investments, units for producing. If the machine is not effective enough, we stop it or replace it by something else.

There's no consideration for the social impact. I'm not sure how people should consider Davos, which side of the fence you can really choose to change things. It's always a very difficult question.

Windows and Fences of Naomi Klein is particulary interesting to read for that.

For the identity, there are strong issues at many different levels, but I like to put that in perspective with what other cultures have done.

When the western world start to study other civilizations, you had different reactions.

The inuits have a tendency to stay completely silent and to not explain their culture at all. Strong Privacy by silence. We will not share our secret.

The Dogons in Africa when the first ethnologists came have adopted a completely different strategy. Say a lot of informatio, but only false information. So ethnologists spend days to try to understand, to make theories to explain what was their culture. Privacy by camouflage.

In our society, should we keep our information secret (PGP) or should we give information with a lot of wrong information?

I find yours to be an interesting perspective. However (and isn't there always a 'however'), I believe there is an issue that is parallel to multiple ID management. That is the fact that, as you say, once created, information is permanent.

I do not agree that this must be so. There are methods of removing such data from both central and decentralized databases. Unfortunately, such methods live in so call grey areas of computer and network access.

This speaks to a central problem: who owns information that relates or points to the entity that is 'me'?

Does Google own it because they own the info-structure within which bits and bytes that point to Scott Fallin reside? Or do I own it because I am Scott Fallin?

I am rather positive that Google's normally wonderful caching feature has been responsible for my losing a chance at a good job. I used to blog about personal matters under my own name with a .com attached to it.

While I accept the responsiblity for creating this information about me in a public manner, I also feel it is my right to retract that information from the public domain.

I expect absolutely no one to agree with me on that. But it is my information, not that of the database.

There have been black market services for sometime that, for a rather steep price, will purge such data from remote computers.

Alas, there is no accounting for the thousands of DAT drives off-loading such information.

Aside from running afoul of the law, all we can do as producers of identity information is to be care what we consume and produce.

I see a day in the not so distant future when maintaining a blog could become a very dangerous passtime.

Profiling is idiotic.

Adoption is so widespread that some people don't know that children naturally look like their parents.

Kidnapped twins and triplets and unregistered identities save lives like escaping slaves in the Civil War.

Keep a sense of humor. It always helps in times of trouble.

Don't laugh too hard: you might split your sides or pee on the floor. The girl who's laughing with you might have a wig on. Her boots might be too tight. She might not be wearing any underwear. Somebody just might get a bang for their buck. The plastic surgeon might have done too good a job. The only difference between them might be the size of their dicks. The father might be better in bed than the son. The son might be better in bed than the father. The mother might like the famous movie "Mrs. Robinson," and want to try him out before her daughter. All the older people have accumulated is antigens. The antidote might have its own cause. Every seven years the body is completely renewed - not a same cell exists, except in the brain. It is good to travel: travel brings prosperity. An insight a day is worth a dram and an encyclopedia. Give it all up - you never lost anything. Candles are good - they kill the coodies flying around in the darkness. Don't burn a candle at both ends - it might be a firecracker. Somebody light the candles in the wax museum - I'm getting bored with the occupants. Nothing can beat the statue of the thinker. Nothing can beat the Eiffel Tower. Nothing can beat Niagara Falls for a honeymoon spot. Hawaii is just a lot of leys and hot sun and water. Arizona is all sand. Nice is nice, they say, I've never been there. Japan is where the Japonese live. Korea is where the Koreans live. Jamaica is where the Jamaicans live. Africa is where the black Africans live. England is where the British live. Ireland is where the Irish live, and fight. Other people fight in other parts of the world, and Israel is where the Israelis live. Israel is a Jewish state, which is to say that it is a country. There are Palestinians on the border of Israel. They want their land back, and they fight. Read the Bible. It is good for you. You will never find a better book. Study the bible. If you do not study the bible, you will never know anything. The bible is good literature - it is the best literature that my 5th grade teacher ever read. I missed all the movies about the whaling ships, so I didn't see all the blood on the screen like all the other kids did - I was on vacation at the time. Where? I don't remember. I came back to school and I was so far ahead of the other children in our study books that I got to go on vacation again so they could catch up. Don't use the word "kids" to mean "children," nor the word "kid" to mean "child." That is a slander, because a "kid" is a baby goat, and then you are calling the "child" some type of animal, and it is slander to call a human being an animal. Do not even slander even one child by calling him or her a "kid." That is what I learned from my fifth grade teacher. "It has great consequences." That is what she told me. "It has grave consequences." That is what she also told me. Then she said she was going to show us the movie about the slaughter of the whales, but I missed it, and I heard all about not calling a "child" a "kid" again when I came back. I did not miss that! I may have forgotten, but I did not miss it. There is more, but that is all for now, since I forgot the rest in the telling of it. Read Shakespeare. That is what I was told. You may find it hard to read the bible, but if you read Shakespeare, you will not be very far behind.

- JW

Leave a comment

19 TrackBacks

Listed below are links to blogs that reference this entry: I'm not Joi Ito, that's just my name.

TrackBack URL for this entry: http://joi.ito.com/MT-4.35-en/mt-tb.cgi/876

I think some of these words have different shades of meaning in different contexts, but I think the boundaries between entity, identities and profiles is somewhat unclear. Read More

Good piece on ID from Joi. Main suggestion : We should have different ID's for our different roles. Each of... Read More

Joi Ito has an interesting riff on issues of identity in the networked world. Here's an excerpt: My point is. We should have different ID's for our different roles. Each of these ID's will have a different bit of authentication and collateral attached... Read More

Interesting discussion at Joi Ito's blog about privacy, identity, and the impact of digital technologies. It got me thinking about just how much of my identity people actually need to know. For example, my bank routinely asks me to swipe Read More

An interesting rant from Joi Ito about the nature of identity and how he things it needs to be handled in an online enviroment. I'm not sure if I agree with him, I haven't given the subject a lot of... Read More

  There is a lot of talk about identity these days. You MUST remember that identities are like names. You are NOT your identity. Your identity points to you. Everyone has multiple identities. Roger Clark describes this as the... Read More

Joi Ito's Web: I'm not Joi Ito, that's just my name There is a lot of talk about identity these days. You MUST remember that identities are like names. You are NOT your identity. Your identity points to you. Everyone... Read More

Nobody knows who I am from chaotic intransient prose bursts
July 17, 2003 10:02 AM

A overview of the philosophy of identities, a hot topic these days of FOAF and multiple IDs. Read More

Joi Ito on Identity from Stream Of Consciousness
July 17, 2003 3:02 PM

In a recent blog posting, Joi Ito wrote: You don't care if my real name is Joi Ito or where I live exactly. As a blog reader, you probably care if it is the same blogger that has posted all of the other blog entries on this blog. Precisely... Read More

Joi Ito 〓r Identit舩 from E-Business Weblog/Newsfeed
July 17, 2003 6:18 PM

Joi Ito 〓r Identit舩. Sehr lesenswert: Joi Ito's Web: I'm not Joi Ito, that's just my name (via Stefan Smalla)... Read More

The discussion about tracking edits, and editing our weblog writing continues, and perhaps rightly so. Though this originally started out as a disagreement between two people, the impact is going beyond these players and may change how we view what we ... Read More

blogreading whenever I'm free, as usual... when I came across ">Joi Ito's interesting argument at his blogsite about identity and entity. then ramified into more interesting discussions of centralization and decentralization of it, national ID cards an... Read More

Joi Ito: "There is a lot of talk about identity these days. You MUST remember that identities are like names. You are NOT your identity. Your identity points to yo Read More

I have numerous identities and I feel comfortable using them for different occasions. Maybe Joi Ito's explanation would make you understand better of what I meant.... Read More

Adrian Holovaty adds a new weblog feature to his homegrown weblog: reserved comment names: Now, every time you see a... Read More

Adrian Holovaty adds a new weblog feature to his homegrown weblog: reserved comment names: Now, every time you see a... Read More

Adrian Holovaty adds a new weblog feature to his homegrown weblog: reserved comment names: Now, every time you see a... Read More

Joi Ito discusses the identity issues on the weblog. There are some reasons to fake online identities when you read the Owellian Japanese story: "In Japan there is a left-wing newspaper called Akahata. The list of subscribers is tracked by... Read More

Joi Ito writes: There is a lot of talk about identity these days. You MUST remember that identities are like Read More

About this Archive

This page is an archive of recent entries in the Business and the Economy category.

Books is the previous category.

Computer and Network Risks is the next category.

Find recent content on the main index.

Monthly Archives