Identity (by )

There's a lot of talk about identity at the moment.

The government is arguing for an identity card system, whereby people will be issued with smartcards containing identity information. The idea being that the government will issue you with a card containing information they know about you - name, DoB, address, some kind of serial number, that sort of thing - and biometric information such as fingerprints and a photo, all on a chip that only responds when it's given a correct PIN, which they also tell you. So that if you present the card and you enter the correct PIN into a reader device and you look like the photo and have the same fingerprints, then the reader can be confident that the name, DoB, address, and serial number really do relate to you.

That's one form of identity, and one that governments like: everyone has precisely one identity, so they can't commit a crime with one, have a well-paid job under another, and then go and claim benefits with a third. "Proving your identity" means proving your real name and address.

But that is a particularly rigid idea of identity. Many people would like to have more than one identity. You might think of criminals as being the main customers of such a system, but there are many legitimate uses. For a start, most authors and celebrities work under pseudonyms, in order to build a "brand". Cherilyn Sarkisian LaPiere is better known to us as Cher. When Alice Mary Norton started writing science fiction in 1934, an era in which science fiction written by a woman would not have been taken seriously, she wrote under the androgynous name of Andre Norton. Fiction authors are particularly prone to multiple pen-names, as many of them operate in more than one genre, but the novel-purchasing market tends to like to feel that if they like one book by a given author they'll probably like others - so the authors often use a different name in each genre.

Also, there are legitimate reasons to be hiding your try identity. Somebody writing essays about How They Coped With Drug Addiction might well not want to use the same identity as they use for professional purposes; yet they would still want to use an identity that they can prove, since it would still be damaging to them if people wrote other essays under their identity, perhaps parodying their difficult struggle. And an author writing under a professional pseudonym should be able to prove that a given work of fiction was written by them under that identity, without needing to tell people what their real name is.

On a similar vein, there can be role identities, which should be just as valid as your legal name. The seat of Editor of the Financial Times is an identity that is held by different people at different times (or could even be held by a team of people; perhaps it is, I don't know...), but it's a valid identity that the current holder should be allowed to prove they hold, without necessarily needing to reveal the real name (and date of birth and home address...).

So, even despite the security implications and costs of having a central identity database, I think that a system that only allows you to have a single identity is fundamentally flawed.

Which is why I'm keen on Public-key cryptography and webs of trust. Under these schemes, anyone can create a keypair, then use that keypair to sign a statement saying "The keypair with this public key belongs to Bob Jones", and then publicise the public key and the statement (which is pretty much how a PGP public key works). My holding of the corresponding private key means I can sign other digital things (anything that can go in a file on a computer; text, photos, whatever) with that key, and anybody can get the public key and then check the signatures on all the things I sign, and see that they're all signed by the same identity.

Now, this may sound meaningless, since anybody on Earth can create a keypair and attach a signed statement to it saying "The keypair with this public key belongs to Alaric Blagrave Snell-Pym", and all claim to be me. There's nothing to stop them lying. So what good is it for me to create such an identity?

Well, the thing is, what my actual legal name is is irrelevant. If I write a series of great essays and sign them all with the same key, all that matters is that it's the same person-who-claims-to-be-called-Alaric. My name is rare, but by the same argument, you might ask what the point is in a government ID card (or birth certificate, passport, etc) saying your name is John Smith; there are countless John Smiths on Earth.

Your given name is just a label.

If you want to tie your real-life identity - as in, your friends know you by a name (which may or may not be your legal given name) and your face and voice, then you can, when meeting them in the flesh, tell them your public key (or, more likely, tell them where to get it and tell them a small fingerprint of it so they can check it's the real one you made and not an imposter). That, for them, will tie those two identities into one, as long as they trust you not to be claiming ownership of somebody else's cryptographic identity!

If you want to do it better, then you can have them issue cryptographically-signed statements using their identities saying "I, John Smith, believe that the keypair with fingerprint 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678 does indeed belong to Alaric Blagrave Snell-Pym", in effect countersigning your statement of ownership. Then anybody who trusts their digital identity can decide to trust the claim of your identity, too, based on the referral.

Or you can go to a keysigning party, and prove your legal name to people you don't know by producing photo ID and giving them your cryptographic identity details. They can then issue signed statements saying that they've seen the same person produce a photo ID with the name "Alaric Snell-Pym" on it, where the photo matched their face, and then claim to own the specified cryptographic key which also has their name on it. Which, in effect, is a claim that they have reasonable confidence that the key really does belong to an Alaric Snell-Pym.

But what if you want a pseudonym? After all, a big part of the appeal of the system is that you can create multiple identities. How do you prove you hold a name you've just made up?

Well, again, the important thing is to stop focussing on the name. It's just a label. Focus on the deeds done under that identity, for they are what actually define it. If, under a pseudonym, I write a great series of essays that inspire the reader with immense admiration for my wisdom, experience with the computer industry, and critical faculties, then under the same pseudonym I write the sentence "Microsoft's next product will be a failure", then that statement will carry a lot more weight than if it had been written by an anonymous person. The fact that the same cryptographic identity signs all of the essays and the unsubstantiated statement is what matters. The fact that it might also sign a statement reading "I would like to be known as SuperNerd007" is only marginally relevant.

So, to summarise, identity is NOT about name. Look at the root of the word - the same as identical. An identity merely associates a series of deeds with a single doer-of-deeds. Associating identities with names is a convenience to let us discuss them with other people; but the name is not the same thing as the identity.

The reason governments want each of us to have a single identity, associated with our legal name, so that everything we do is lumped into one, is simple: it makes it easier for them to fight crime. If your crimes have to happen under the same identity that you use for legitimate interactions with society, then once you've had a crime associated with your identity, any place your identity is checked can also check against a list of wanted criminals and bring you in. And then the logs of everything you've done under that identity can be scrutinised for evidence.

However, if they managed to do this, it has terrible consequences for people with legitimate reasons to want to use pseudonyms or roles.

And... they can't do it. An identity card system will only force people who don't want to commit the crime of fraud to live under a single identity, because criminals will figure out ways to get fraudulent ID cards. Places with ID card schemes have recorded cases of officials who issue them being bribed - or fooled with forged paper ID in the first place. ID cards can be stolen from people with similar appearances to yourself, their fingerprints copied (if necessary), and the PIN tortured or tricked out of them. The underlying technology of the readers can be attacked, and readers tricked into saying "YES" when they mean "NO".

And the fact that, with self-created digital identities, I might publish slander and child pornography under one identity then live a respectable life with another, isn't actually that great an obstacle for the police. After all, with a simple court order they can have ISPs release their logs about the activities of my criminal identity, and thus trace back to the place where I physically go online, then a couple more court orders can find other identities that are also used from that location, or even my actual legal name, if it's an Internet connection I pay for myself in anything but cash. The use of multiple identities does nothing to protect me from the traditional tool of criminal investigation that's worked for years - the authority of the police to have private information revealed to them by organisations. It's as simple as that.

5 Comments

  • By Improbulus, Sun 6th Jul 2008 @ 12:38 pm

    Great essay, Alaric! I agree with everything you say, particularly the (ir)relevance of my legal name. But then I would.

    Any reputation I have in technology has been built up under this name and I want to keep it, and be able to prove it's me. If you searched my real name online, you'd find nothing at all of significance related to computing, though maybe a mention or two in music.

    I just want to be able to prove I am the person known online as "Improbulus" and, as importantly, if someone else tries to say they're Improbulus and posts things purporting to be from me, I can disprove that - e.g. through people signing my keys to that effect, and I am more than happy to be held accountable as "Improbulus".

    I wish there was a way of doing so. Or maybe there is: people signing my Improbulus keys as such. Whoever wrote the excellent ORG wiki page on key signing parties at http://www.openrightsgroup.org/orgwiki/index.php/Keysigning_parties (was it you??) clearly understood this ("take the public part of somebody's digital identity, and then use your own digital identity to create a signed digital document stating that you trust that the holder of that identity really is who the identity claims it is (which can be their real name, or a pseudonym you believe them to rightfully hold)".

    I hope those who refused to sign my Improbulus keys without seeing my driving licence/passport showing my real name will read this post - and http://www.w4kwh.org/privacy/keysign.html which clearly envisages signing pseudonyms and providing a mechanism for doing that even for an identity without a meatspace equivalent (and no one who's met me can deny I DO have a meatspace equivalent!). What do they want, a blog post about them, a meta tag, blood (for a genetic fingerprint)??

  • By alaric, Mon 7th Jul 2008 @ 11:28 am

    I guess the interesting question is: if somebody comes up to you and says "I'm Improbulus, will you sign my key to say you agree?", what does that signature actually say? When you sign somebody's key in their legal name because you've seen their passport, you're stating that you've seen evidence it's their legal name.

    I will sign Improbulus' key, just as I signed Spy Blog's key; at certification level 2 ("casual verification"), since through having friends in common who can say "Yes, that's the real Improbulus", combined with public and private online discussions, I am confident that the person who stood before me proffering a key fingerprint is the same as the online Improbulus you can find in Google. My experience could have been faked, but it would have been a lot of effort for somebody to go to, and I can't see how it would be worth it (security is all about tradeoffs).

    I signed Spy Blog's, on the other hand, because the key fingerprint the guy claiming to be Spy Blog gave me matches the one on his web site, so again there's a reasonable likelihood that the key really belongs to the guy behind Spy Blog and not to a man in the middle who'd love to find out who's blowing what whistles.

    It would be rather easier (and certainly within the werewithall of the intelligence services) to man-in-the-middle Spy Blog, and then send an agent pretending to be the guy behind it to OpenTech handing out the fingerprint of a fraudulent key. But it would probably be easier for them to just set up Spy Blog themselves as a honeypot. Indeed, they could subvert driving licence-based key signatures; they have the facility to print as many driving licences and passports as they wish.

    However, if Mr. Spy Blog is who he says he is and not an MI5 honeypot operation, then he can protect himself against cheaper Internet-only man-in-the-middle attacks by, in person and online, getting people to sign his key. If the key has a long history of being signed by various people, some notable, some who are friends of friends of friends of yourself, it's very likely to have actually existed for some time - meaning that The Authorities can't just create a false key and slide it onto the Spy Blog web server (or force the upstream ISP to intercept HTTP requests for it and replace the key with their own) whenever they feel the urge; by linking that identity into a web of trust, it requires more complex, expensive, and forward-thinking operations to have subverted that web from the outset.

    To conclude, thinking about security questions like this is complex. But it's also good fun!

    But do we expect the general public to learn all this stuff so they can be secure online? Well, I think that as we move to an increasingly online society, they will anyway - so many kids these days use online social networking services that the consequences of letting other people know your password are becoming second-nature obvious to them in ways that previous generations haven't had to spot. I think that as communications technology becomes more widespread - and if, hopefully, public key crypto technology becomes more widespread - people will just pick this stuff up organically and it'll become second nature. And we'll have a more secure society because of it.

  • By David McBride, Tue 8th Jul 2008 @ 6:57 pm

    == On the Nature of Identity ==

    Yes, I've been thinking about identity since OpenTech as well -- particularly as it pertains to my thesis topic!

    An identity is a person-reference, a pointer that produces a person when you dereference it. In my head, I have a great many person-references, each of which uniquely represents one of the people I know. (One of them represents myself -- literally the identity identity!)

    Identities almost always have many properties associated with them. That person's legal name, nicknames, what their face looks like, the sound of their voice, their reputations for various functions, their public key identifier, all kinds of information.

    Most people, when they're talking about their identity, are in fact usually referring to one or more of these identifiers.

    Properties that are associated with an identity can sometimes be used as identifiers; i.e. given an unknown person's public key ID, I can lookup whether any of the identities in my head match that person. (Usually through the use of a memory prosthesis.) This is not always possible; sometimes, a given identifier is ambiguous, or of insufficient fidelity to reliably identify a unique person -- for example, in the case of a fuzzy photograph.

    Authentication, then, is merely the act of resolving an unknown person's identity to a high degree of confidence, usually through the use of measuring hard-to-forge identifiers, validation of a secret key, or both.

    Is the person that you think of as Joe Bloggs the same person that I think of when you use that name? If we're both part of the same small village, then the answer will usually be "yes". If we're both part of the same large city, then the answer is most likely to be "no". And this is the problem when we start to use self-selected identifiers to refer to people.

    Now, in many real-world circumstances, you need to look up some property -- such as a public key -- of someone you don't already know, but for whom you have some kind of identifier -- such as a name or email address.

    But we know that names are not unique; there's an argument that we shouldn't care what name someone has claimed for themselves on their OpenPGP credential, because it simply doesn't matter -- it's their email address which we're using as a unique global identifier. Effectively, it's just a human-readable checksum, a safety feature so that a human can spot more easily a mistakenly looked-up identity.

    Unfortunately, our only way to verify a person's email address is to exercise it -- and email is not secure against eavesdropping or misdirection, particularly in the face of vulnerabilities in the domain-name system. (As an aside, those who haven't seen the DNS security advisories published today, you should look up CVS-2008-1447.)

  • By Lionel, Wed 9th Jul 2008 @ 1:47 pm

    " ID cards can be stolen from people with similar appearances to yourself, their fingerprints copied (if necessary), and the PIN tortured or tricked out of them. "

    This escalation has already happened with Chip and Pin credit cards. South Africa has high levels of breaking and entering, and small portable items like credit cards are a favourite target. Until recently the pattern was a break in when the residents were out of the house, but now it more often happens when the house is occupied, so they can get the PIN numbers of the cards from the owners.

    The result is that the banks enjoy the comfort of a slight reduction in credit card theft, but home owners suffer a major increase in the scariness of crime.

    The next step iin this escalation has become a thriller movie cliche – cutting off a finger or removing an eyeball to gain biometric identification.

  • By Edward Barrow, Tue 26th Aug 2008 @ 11:27 am

    Generally, my identity is the way other people know me. Different groups of people (family, friends, colleagues) know me by slightly different labels. My identity comes from the community, not from the state. The problem with the ID database is that I don't need the state (or any other corporate entity) to tell me or anyone else who I am - but perhaps I do need other people around me to do so, to help my interactions: to vouchsafe the label, this person is who he says he is. In the old days, the vicar vouched for my passport photo; my father took me to open my first bank account, and shook hands with the bank manager.

    Ergo, there should be a web-of-trust. The web-of-trust is the most powerful idea in PGP; if you just want pke, there's RSA etc. With a community and a web of trust, you don't need a root cert. In fact the whole root cert logic of X509 and the rest is inherently totalitarian, and should be considered harmful.

Other Links to this Post

RSS feed for comments on this post.

Leave a comment

WordPress Themes

Creative Commons Attribution-NonCommercial-ShareAlike 2.0 UK: England & Wales
Creative Commons Attribution-NonCommercial-ShareAlike 2.0 UK: England & Wales