Telephone numbers – the original digital identity


This post has been stewing for some time, and perhaps the fuss today over the launch of the .tel domain gives me a good reason to serve it up.

It’s my view that telephone numbers were THE original digital identity scheme. Of course like most pioneering activities things weren’t thought through particularly well, and we’ve seen various changes and kludges applied along the way. The system still works though, and most people (even amongst the less technically savvy) are aware of the limitations without even giving them much thought.

Security seems like a good place to start. For some reason my colleagues in the IT security world seem to turn purple and start ranting when I talk about telephone numbers being a type of digital identity. “They’re not secure”, I hear the cry. Let’s put things into perspective – a number is just a type constrained special case of a string format address. Less constrained cases (that are also used for the purposes of digital identity) include email addresses and OpenID URIs. None of these things are inherently secure or insecure, but we tend to associate them with the various degrees of badness embedded in the common implementations. When I dial a number I could be misdirected elsewhere (by an attacker, or just some clever call forwarding), and when I receive a call with caller line identification (CLI) it could be spoofed. It is true that the telephony system that we mostly use today is riddled with security hole, and that there are few good ways of establishing trust, but that’s mostly not the fault of the numbers.

Namespace management has been a key problem over the years. As the use of telephone numbers for personal identity became more common we see the same growing pains that we’re presently encountering in the journey from IPv4 to IPv6. Corporate exchanges were a bit like NAT, but corporate citizens came to demand personal addresses (=numbers), and sometimes more than one (for fax machines etc.). We also bump up against some cognitive psychology issues here – too much namespace = too long to remember. For those of you with kids you can think of yourself as being an expensive NAT router next time you answer their calls :)

Geographic anchoring is somewhat related to the namespace management issues. This is of course a hang over from the days where the physical location of exchange switching equipment was meaningful, but it continues to affect us. I’ve been trying for some time to run with ‘one number’ – a single telephone number that will reach me wherever I am in the world, on whatever device I choose to have with me. The mechanics behind this work surprisingly well; all of the issues are around social etiquette that’s annealed around our use of numbers. People still get offended when I don’t give them a ‘mobile’ number, and others find it impossible to grasp that dialling something that’s purportedly anchored in London will actually reach me in office in NY (or wherever else). I’m told that in some parts of the world great significance is attached to which class of number (from many on a business card) should be used at any given time.

Of course ‘one number’ isn’t a panacea. People still worry about things like long distance costs and roaming charges. +44 may alienate those from +1 or +34 or whatever (it may even be blocked on some corporate exchanges and pay as you go mobiles); so what I may really need is some identity virtualisation, and luckily services to do this already exist.

So, rounding up, telephone numbers were there being digital identity before the term was even coined. Since we still use telephones a lot we still have to consider the use of telephone numbers as part of a broader identity landscape, and that’s particularly important when the conversation moves onto unified communications – something that I’ll probably post about another day.

PS I’m intrigued by the utility of putting contact data into DNS versus something webby like Portable Contacts, and would love to hear stories of how this will be used in anger?

5 Responses to “Telephone numbers – the original digital identity”

  1. 1 Joe M

    I wonder if the US Social Security Number is the original digital identity. By 1943 it was determinded that every man, woman, and child in the US would be give an unique identification number (the first three digits indicating region). What’s the British equivalent and when was it put in place?

    In 1943, many, many household did not have telephones and placing a call meant first contacting an operator to manually patch you through (talk about expensive NAT devices!).

    You alluded to Unified Communications which promises a single, email-ish identity fronting numerous “modes” of contact from voice to fax to IM. We’ll see how it plays out in the real world. SIP has its own share of security issues. Perhaps a future blog post will explore.

  2. 2 Chris Swan

    Apparently telephone numbers first came into use in 1879, and automated mechanical exchanges became common in the 1920s, so it looks like SSNs came later.

    It’s probably worth touching on the role of SSNs in identity management. They’re probably not an awful candidate for UIDs (and hence for IBE public keys – just like email adresses and OpenIDs). The trouble is that early implementers treated them as shared secrets. So somebody mixed up their public keys for their private keys. We should probably forgive them however, as public key crypto wasn’t invented when that decision was made.

  3. 3 Julian L

    OK – you got me.

    Interesting premise, but here’s an alternative view – in practice, telephony could be considered as another step on an evolutionary hierarchy of identity-mapping techniques rather than as an identity in itself. By identity-mapping I mean a collection of metadata about a person that will have the end-result of providing you with the information necessary to communicate with that person, rather than an identity in and of itself, by which I mean a collection of metadata that will allow you to form conclusions about the person themselves.

    That is not to say that there may not be cross-over – for example [email protected] could fall in both categories whereas [email protected] is less revealing. I realise this gets into a semantic discussion about what is identity, but probably best left for another day.

    Practically speaking telephone numbers started out as an analogue identity mapping that extended the premises of telegraphy from a point to point managed service for near real-time communication to a more personalised household based solution with increased accessibility and functionality, and reduced lag. It is as much a step on the way to a digital identity as the invention of the postal service.

    As telephone numbers have moved from being a many-one identity-mapping (a family phone) to a one-many (cell phone, desk phone, home phone, work phone etc) a whole host of complexities have arisen in the associated service features take management for example – think back 20 years , and you may have had a little notepad with phone numbers that you would read and manually enter via a dial (that made a strangely satisfying ratcheting sound as you entered the numbers.) to have a conversation with a friend. You may have had an address.

    Now you have a digital record with the person’s name, a list of contact mechanisms, msn, Skype, aol, possibly a photo. There may be a website, a blog, and a hodgepodge of other information whose usage will be driven by the type of interaction you are looking to have with the person. , I’m sure it won’t be long before calendar integration and a GPS location will be standard too (If you are reading this and thinking brilliant idea, can I suggest using fireeagle). Given this increase in complexity, the onus is moving from a pull mechanism (how can I access you) to a push mechanism (how can you access me – facebook, linkedin etc) – and you touched on this with your article about personal queues (great idea – implement it as a linkedin/facebook app)- my queue would be as much part of my digital identity and potentially, the identity mapping, as my phone number or email address. The point I am trying to make here is that your digital identity is as much about management of the data you make available about yourself as the communication mechanisms used to exploit them, and thus the telephone number is too simple and bland an object to represent the entirety of even an early digital identity.

    So in summary I would propose that the telephone might not be a digital identity – but an evolutionary step in a hierarchy of connection mechanisms that maps communication channels to an individual.

    On a separate note, where I think the .tel domain justifies its existence (based on the large assumption, that a certain friend I was having a drink with a few nights ago is wrong; and it is not a cynical land-grab to generate additional revenue for a bureacracy that like most bureaucracies seeks to perpetuate itself and increase its power/wealth (OK it wasn’t that extreme)) is that it is a proven management system that will facilitate the introduction of a limited service that lazy programmers will understand how to use, without needing to know how it works, lazy management will see the value of, and not understand its limitations or replicability through more sophisticated yet harder to understand proposals, allow real applications to collect identity-mapping data about objects.

  4. Chris,

    Excellent blog post… I have been thinking about the concept of identity and wrote way back when on this subject. I am not sure if you read it, but I include it here. It was originally posted on my not-so-often updated blog located at… shame on me as an occassional blogger:

    Solutions to the Digital Identity and Privacy Conundrum

    Part 1 – Introduction to Static and Dynamic Identities

    Since I began researching digital identity and the concept of digital privacy in 1999, I have always envisioned a flexible authentication system to be at the heart of every point of interaction online and offline; between people, between people and business, between people and government, and between business and government. The explosive growth of the personal computer and the Internet and, subsequently, Internet culture and commerce, has not allowed society to transpose normal human behavior and practices to the new, all pervasive medium.

    During my tenure at PricewaterhouseCoopers (PwC), I ended each conference presentation on emerging technologies with the statement, “With technology there is neither a replacement for a smile nor a frown.” What I was getting across to the audience had more to do to help transform technology into a viable replacement for physical human interaction than it did to temper the use of technology. Processes within a business or through a value network require humans to interact with one another to make critical decisions for continued success. Since the first barter many millennia ago, good and continuing business has always included physical recognition, eye-to-eye communication and a bond to complete the transaction. Without recognition, the entire process would never proceed. Therefore, recognition of and the subsequent authenticity of the person with whom you conduct business or any type of valued transaction or interaction becomes the cornerstone of the relationship. It establishes trustworthiness between the participants, and trust is built on continued successful interaction for both parties.

    Standing in front of a person fulfills the recognition process, otherwise known in IT terms as “authentication.” It is a necessary but not always sufficient requirement for interaction. As the value of interaction rises, so too do the methods of recognition, which becomes both a physical (biometric) and a knowledge challenge/response test. Authentication answers the question, “Is this person truly who they claim to be?” Name, physical presence and traits, distinguishing physical features, e.g., clothes, shoes, eyeglasses, jewelry, etc, serve as cursory markers as proof of identity. Society considers these traits as sufficient in informal, casual interaction.

    However, other forms of identity are required to conduct more formal, value-based transactions, such as, citizenship, commerce (buy/sell/invest), travel, entertainment, healthcare, and participation in government programs, for example. Value translates into money, social order, or safety and security of life. In order to standardize these forms of identity, governments, organizations, and businesses have issued their own identity cards, which simply connect a signature and photograph or a uniquely distinguishing identifier (bar code) to the organization’s branded token, or card; for example, birth certificate, marriage certificate, credit and debit cards, drivers license, passport, loyalty card, stadium ticket, health insurance cards, and Social Security card, respectively. Such identity cards can be defined as static, since they do not change in appearance. New ones are issued based upon a change in status of the service guaranteed by the card issuer. Moreover, these static identity cards almost always have time value associated with it, giving an expiration date, since the user’s unique distinguishing trait may change over time.

    As an aside, citizenship by birth is a tough identity to prove with the lack of standardized birth certificates, which is due to the varying formats and policies of each hospital in each county in each state across the country. Moreover, marriage certificates are an important source of identity in several areas, financial records, property ownership, benefactor association, drivers license, and passports. For example, if a woman changes her name legally before using her older passport during international travel, national borders have been known to accept the marriage certificate as a proof of name change. Is there any way the border agent can verify and validate the authenticity of the marriage certificate, especially when there are no standards among the thousands of municipalities in the country? The US Congress is poised to pass the REAL-ID Act of 2005, which requires states to surrender their regulatory rights over driver’s licenses and birth certificates with no mention of marriage certificates and excludes applicability to illegal aliens.

    Returning the concept of static identities, it’s important to stress that this type of identity is given to a person upon entering or joining a group, organization, business, or state privilege like driving or marriage. Information on the actual use of services, what and when people buy, what they listen, watch, eat, and where they go and how frequently forms the second type of identity, called dynamic identity. As taken from the Merriam-Webster entry for privacy, “Freedom from unauthorized intrusion” or access defines privacy of one’s own critical, sensitive, and personal information. It is common for people to share their static identity markers with credit card companies, government agencies, insurance companies, etc, in return for service. However, it becomes an issue of privacy to guard any sensitive information that defines their dynamic identity. This will be addressed in detail in an upcoming installment on this blog, for privacy and identity are two strands that make up the DNA which defines a person – names, traits, and trails (of dynamic information). Both static and dynamic identities serve as access keys to any type of value for every individual. The value can either be represented as goods or as services, both of which are bought, sold, or bartered.

    The next installment will focus on how modern IT systems can be transformed to ensure trustworthy identity transaction across business to business, business to government, business to consumer, and consumer to government. I’ll begin to detail how these technologies will help solve the problems and reduce costs to fraud and insecurity, extend trust over the Internet between people, and help to establish and solidify trust across the spectrum of merchants, consumers, and financial service providers, helping to unleash the next generation of Internet-based commerce. It is important to note that a recent Gartner report states online banking and ecommerce has taken a slight dip due to fears of identity theft and credit fraud.

    In the new Internet order, consumers will be able to transpose their purchased content across any device of their choosing, for example, from watching a movie on the bus on a mobile device/cell phone to then transpose the movie directly to their TV upon arriving at home, with ease. With technologies deliver and assure digital identity authentication, mobile service providers can assure Hollywood that piracy would be a thing of the past because every copy of digital content will be associated to a valid, paying consumer. Moreover, consumers will be assured that their critical, sensitive information cannot be used in any type of fraud against them, since the power to control how, when, why to use their information will rest with them…

  5. Interestingly enough, we have spoken to a few vendors in the anti-fraud space who have developed products to prevent phone spoofing, when a hacker actually exploits the SS7 network – which is both DNS and global namespace for telephony.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: