identifying information

One of the self-evident truths we live by is that “everything is moving to the Internet”.

We are using (or trying to use) the Internet for paying our bills; looking up our lab test results; accessing media content; managing our bank accounts; social and business communication; picking out our reading material and news content; executing share trades; looking up our destinations and mapping them – this list grows daily.

Making this all work more effectively and increasing our trust in the interactions is all based in how we identify ourselves, and the information we can share to facilitate the underlying transactions.

The mechanisms we employ for this are generally well understood, even if they are still in need of improvement. We have all kinds of authentication, identity management, federation, access control and other technologies. However, mostly what we talk about at a policy and privacy level is how to ensure anonymity or at least something approaching it.

For the more interesting and powerful transactions that are valuable in our daily living we have a different issue. Rather than remain anonymous, we need to identify who we are – at the very least to ensure that the correct individual gets access to the information that belongs to them, the services they have a right to, or the financial control that they need to exercise over their own affairs. Ensuring correct and protected use of this identifying information requires lots of protections, not the least of which is providing users control and insight over when and how this information is used.

The disconnect we have at the moment is that validating an identity is primarily a process that involves examining physical documents that have never been very well designed for the task. Alternatives such as interrogation of the individual about sufficiently arcane interactions in their life are generally horrendous to use and not at all error-free. Finding information complex or sufficiently hidden that a bad guy could not pretend to be me, but still allow me to recall the right answers is not working out so well.

With so much of our lives lived on the Internet, it seems natural that utilizing the Internet to understand how we live our lives, and leveraging that understanding is the way to enable people to identify themselves.

by Andrew Nash - CTO