What Digital IDs Mean
With all its sign-ons, the Internet has changed the way we represent ourselves. IBM’s Bob Blakley ponders the implications.
Now that so many transactions are conducted over the Internet, and using other networked devices, the nature of identity and its verification is changing. Unlike in the past, today we rarely use physical identifiers, such as a driver’s license, social security card, or birth certificate. Instead, we have multiple passwords and PIN numbers for impersonal and quick transactions.
This changing nature of identity has given rise lately to many questions about privacy and security. Bob Blakley, chief scientist for security and privacy at Tivoli, IBM’s security management software unit in Austin, TX, believes that the philosophical and social implications of this transformation are also important.
Thinking about issues of privacy and security comes naturally to Blakley. His father was a cryptographer. Blakley has a Ph.D. in computer science from the University of Michigan and a degree in Classics from Princeton University. Applying this wide range of experience, he’s become a leading authority on Internet identity and authentication systems. And as a software engineer at IBM, he’s developing systems to help manage the complexity of modern identity.
Technology Review: As an engineer, what led you to investigate the meaning of identity in the digital age?
Bob Blakley: I started working on security at IBM. Then I did some policy work with the National Academy of Sciences and the Association of American Medical Colleges on privacy issues. There was a National Academies study on authentication technologies and their privacy implications that I participated in. I figured we had a lot of people on the committee who were lawyers and could look at things from that point of view, and lots of good technologists. But what we didn’t have was anyone who was looking at things from the point of view of philosophy and sociology. And since I had been a Classics major, I figured that that would be something useful I could do.
TR: How are you exploring identity in relation to technology?
BB: I’ve spent a lot of time studying what real philosophers both from the past and today have said about the issue [of identity], and I’ve tried to put that into a context that will make it useful for the technology industry. Really, what the information technology industry does is automate processes that were formerly manual. Of course the good thing is that it can greatly increase efficiency and reduce cost and reduce error, but the thing is, it’s very difficult to automate a process that you don’t understand. I think that this is the case with respect to identity. Identity is a phenomenon that we as a technical community don’t understand that well. It’s not that we’re stupid, it’s because it really is very, very complicated.
TR: These days major aspects of our identity are being digitized, stored in massive data warehouses, and zipped around the world on the Internet. What are the implications of this?
BB: There are three things that are interesting. The first is that digitizing information increases its velocity. So if something gets loose inappropriately, it gets a lot further than it used to. The second is that these warehouses, as you say, create risk aggregation problems. The more information is in one place, the more value is gathered in one place, and therefore the greater the attractiveness of that place to the ‘bad guys.’
The third thing about digital information is that there is this sociological phenomenon that if you’re collecting information from a human being, putting it onto a form, you’re likely to associate information as belonging to a human being. You have a person in front you, and you’re aware of issues of human dignity. Whereas if you just have this gigantic screen full of millions and millions of files, it does not give the same sense of social obligation. There is an extent to which digitizing of personal information depersonalizes it and makes it easier for people to forget what they’re actually doing, or at least not make the same sorts of emotional associations with handling personal info as they would in the real world.
TR: There are benefits to our identities being so mobile, such as remote communication and automated commerce. What are the challenges with mobile identities?
BB: We as an industry have implemented identity technology for a long time. We assigned people an online identity, and, in fact, we did that so successfully that people had a lot of them. Now the next generation of identity technology is trying to allow individuals to get a handle on the complexity that’s created by them having all these different identities. They have these different identities not because they want so many, but because each organization they do business with has their own identification system and they don’t talk to each other because they bought them from different vendors. So we’re trying to reduce the complexity for the individual of managing identity technology.
TR: How do you do that?
BB: We recently announced Tivoli Access Manager Enterprise Single Sign On [a software application]. This allows people to simplify their management of log-on credentials if they have a lot. There’s a much older technology that you probably have, that lets you do the same thing – it’s called a wallet. That’s a credential management technology. It works in a physical world, but we are building credential management that works in an online world. If you look at Microsoft and their initiative aimed around “InfoCards,” it’s aimed at a similar problem.
TR: What other problems involving personal identity can software help to solve?
BB: The other thing we’re trying to do as an industry is to reduce the overall expense that a business has to dedicate to managing identity. And the way that we’re trying to do that is to allow people to share identities that are owned by other organizations. The general term for this kind of technology is “federation.” But what it basically means is if I’m a customer of Citibank, and you’re a merchant, but your bank is Bank of America, Citibank can manage my identification, but you and Bank of America can recognize it without having to create an identity record for me yourselves. That’s a really big deal because managing an identity is expensive. If I have an identity, an account, a PIN number and password, the cost per year of me having to call the help desk every time I forget my password is really, really high. It’s in the tens of dollars and sometimes as much as hundreds of dollars for one account per year. So if you can consume my identity without having to manage it, that saves you an enormous amount of money.
TR: People generally don’t consistently think of themselves in terms of their digital identity. Should they?
BB: Yes and no. People need to establish accounts, and they do need to have a level of vigilance to insure that the identities used in those accounts aren’t being used by other people and they haven’t been contaminated by identity theft. You need to do that. But if you say that you’re worried about identity, it seems to me that what you’re really worried about is one of a variety of other things. You might be worried about your behavior. You might be worried about privacy, which is not exactly about identity. You might be worried that your establishing an identity is in some sense going to compromise privacy that you previously had before you established that identity. In which case what you’re really worried about the behavior of the organization you’re doing business with.