What Digital IDs Mean

With all its sign-ons, the Internet has changed the way we represent ourselves. IBM's Bob Blakley ponders the implications.

Now that so many transactions are conducted over the Internet, and using other networked devices, the nature of identity and its verification is changing. Unlike in the past, today we rarely use physical identifiers, such as a driver's license, social security card, or birth certificate. Instead, we have multiple passwords and PIN numbers for impersonal and quick transactions.

This changing nature of identity has given rise lately to many questions about privacy and security. Bob Blakley, chief scientist for security and privacy at Tivoli, IBM's security management software unit in Austin, TX, believes that the philosophical and social implications of this transformation are also important.

Thinking about issues of privacy and security comes naturally to Blakley. His father was a cryptographer. Blakley has a Ph.D. in computer science from the University of Michigan and a degree in Classics from Princeton University. Applying this wide range of experience, he's become a leading authority on Internet identity and authentication systems. And as a software engineer at IBM, he's developing systems to help manage the complexity of modern identity.

Technology Review: As an engineer, what led you to investigate the meaning of identity in the digital age?

Bob Blakley: I started working on security at IBM. Then I did some policy work with the National Academy of Sciences and the Association of American Medical Colleges on privacy issues. There was a National Academies study on authentication technologies and their privacy implications that I participated in. I figured we had a lot of people on the committee who were lawyers and could look at things from that point of view, and lots of good technologists. But what we didn't have was anyone who was looking at things from the point of view of philosophy and sociology. And since I had been a Classics major, I figured that that would be something useful I could do.

TR: How are you exploring identity in relation to technology?

BB: I've spent a lot of time studying what real philosophers both from the past and today have said about the issue [of identity], and I've tried to put that into a context that will make it useful for the technology industry. Really, what the information technology industry does is automate processes that were formerly manual. Of course the good thing is that it can greatly increase efficiency and reduce cost and reduce error, but the thing is, it's very difficult to automate a process that you don't understand. I think that this is the case with respect to identity. Identity is a phenomenon that we as a technical community don't understand that well. It's not that we're stupid, it's because it really is very, very complicated.

TR: These days major aspects of our identity are being digitized, stored in massive data warehouses, and zipped around the world on the Internet. What are the implications of this?

BB: There are three things that are interesting. The first is that digitizing information increases its velocity. So if something gets loose inappropriately, it gets a lot further than it used to. The second is that these warehouses, as you say, create risk aggregation problems. The more information is in one place, the more value is gathered in one place, and therefore the greater the attractiveness of that place to the 'bad guys.'

The third thing about digital information is that there is this sociological phenomenon that if you're collecting information from a human being, putting it onto a form, you're likely to associate information as belonging to a human being. You have a person in front you, and you're aware of issues of human dignity. Whereas if you just have this gigantic screen full of millions and millions of files, it does not give the same sense of social obligation. There is an extent to which digitizing of personal information depersonalizes it and makes it easier for people to forget what they're actually doing, or at least not make the same sorts of emotional associations with handling personal info as they would in the real world.