Excellent blog post… I have been thinking about the concept of identity and wrote way back when on this subject. I am not sure if you read it, but I include it here. It was originally posted on my not-so-often updated blog located at http://robmarano.blogspot.com... shame on me as an occassional blogger:

Solutions to the Digital Identity and Privacy Conundrum

Part 1 – Introduction to Static and Dynamic Identities

Since I began researching digital identity and the concept of digital privacy in 1999, I have always envisioned a flexible authentication system to be at the heart of every point of interaction online and offline; between people, between people and business, between people and government, and between business and government. The explosive growth of the personal computer and the Internet and, subsequently, Internet culture and commerce, has not allowed society to transpose normal human behavior and practices to the new, all pervasive medium.

During my tenure at PricewaterhouseCoopers (PwC), I ended each conference presentation on emerging technologies with the statement, “With technology there is neither a replacement for a smile nor a frown.” What I was getting across to the audience had more to do to help transform technology into a viable replacement for physical human interaction than it did to temper the use of technology. Processes within a business or through a value network require humans to interact with one another to make critical decisions for continued success. Since the first barter many millennia ago, good and continuing business has always included physical recognition, eye-to-eye communication and a bond to complete the transaction. Without recognition, the entire process would never proceed. Therefore, recognition of and the subsequent authenticity of the person with whom you conduct business or any type of valued transaction or interaction becomes the cornerstone of the relationship. It establishes trustworthiness between the participants, and trust is built on continued successful interaction for both parties.

Standing in front of a person fulfills the recognition process, otherwise known in IT terms as “authentication.” It is a necessary but not always sufficient requirement for interaction. As the value of interaction rises, so too do the methods of recognition, which becomes both a physical (biometric) and a knowledge challenge/response test. Authentication answers the question, “Is this person truly who they claim to be?” Name, physical presence and traits, distinguishing physical features, e.g., clothes, shoes, eyeglasses, jewelry, etc, serve as cursory markers as proof of identity. Society considers these traits as sufficient in informal, casual interaction.

However, other forms of identity are required to conduct more formal, value-based transactions, such as, citizenship, commerce (buy/sell/invest), travel, entertainment, healthcare, and participation in government programs, for example. Value translates into money, social order, or safety and security of life. In order to standardize these forms of identity, governments, organizations, and businesses have issued their own identity cards, which simply connect a signature and photograph or a uniquely distinguishing identifier (bar code) to the organization’s branded token, or card; for example, birth certificate, marriage certificate, credit and debit cards, drivers license, passport, loyalty card, stadium ticket, health insurance cards, and Social Security card, respectively. Such identity cards can be defined as static, since they do not change in appearance. New ones are issued based upon a change in status of the service guaranteed by the card issuer. Moreover, these static identity cards almost always have time value associated with it, giving an expiration date, since the user’s unique distinguishing trait may change over time.

As an aside, citizenship by birth is a tough identity to prove with the lack of standardized birth certificates, which is due to the varying formats and policies of each hospital in each county in each state across the country. Moreover, marriage certificates are an important source of identity in several areas, financial records, property ownership, benefactor association, drivers license, and passports. For example, if a woman changes her name legally before using her older passport during international travel, national borders have been known to accept the marriage certificate as a proof of name change. Is there any way the border agent can verify and validate the authenticity of the marriage certificate, especially when there are no standards among the thousands of municipalities in the country? The US Congress is poised to pass the REAL-ID Act of 2005, which requires states to surrender their regulatory rights over driver’s licenses and birth certificates with no mention of marriage certificates and excludes applicability to illegal aliens.

Returning the concept of static identities, it’s important to stress that this type of identity is given to a person upon entering or joining a group, organization, business, or state privilege like driving or marriage. Information on the actual use of services, what and when people buy, what they listen, watch, eat, and where they go and how frequently forms the second type of identity, called dynamic identity. As taken from the Merriam-Webster entry for privacy, “Freedom from unauthorized intrusion” or access defines privacy of one’s own critical, sensitive, and personal information. It is common for people to share their static identity markers with credit card companies, government agencies, insurance companies, etc, in return for service. However, it becomes an issue of privacy to guard any sensitive information that defines their dynamic identity. This will be addressed in detail in an upcoming installment on this blog, for privacy and identity are two strands that make up the DNA which defines a person – names, traits, and trails (of dynamic information). Both static and dynamic identities serve as access keys to any type of value for every individual. The value can either be represented as goods or as services, both of which are bought, sold, or bartered.

The next installment will focus on how modern IT systems can be transformed to ensure trustworthy identity transaction across business to business, business to government, business to consumer, and consumer to government. I’ll begin to detail how these technologies will help solve the problems and reduce costs to fraud and insecurity, extend trust over the Internet between people, and help to establish and solidify trust across the spectrum of merchants, consumers, and financial service providers, helping to unleash the next generation of Internet-based commerce. It is important to note that a recent Gartner report states online banking and ecommerce has taken a slight dip due to fears of identity theft and credit fraud.

In the new Internet order, consumers will be able to transpose their purchased content across any device of their choosing, for example, from watching a movie on the bus on a mobile device/cell phone to then transpose the movie directly to their TV upon arriving at home, with ease. With technologies deliver and assure digital identity authentication, mobile service providers can assure Hollywood that piracy would be a thing of the past because every copy of digital content will be associated to a valid, paying consumer. Moreover, consumers will be assured that their critical, sensitive information cannot be used in any type of fraud against them, since the power to control how, when, why to use their information will rest with them…

Interesting premise, but here’s an alternative view – in practice, telephony could be considered as another step on an evolutionary hierarchy of identity-mapping techniques rather than as an identity in itself. By identity-mapping I mean a collection of metadata about a person that will have the end-result of providing you with the information necessary to communicate with that person, rather than an identity in and of itself, by which I mean a collection of metadata that will allow you to form conclusions about the person themselves.

That is not to say that there may not be cross-over – for example imanevilscumbag@hotmail.com could fall in both categories whereas jsmith@hotmail.com is less revealing. I realise this gets into a semantic discussion about what is identity, but probably best left for another day.

Practically speaking telephone numbers started out as an analogue identity mapping that extended the premises of telegraphy from a point to point managed service for near real-time communication to a more personalised household based solution with increased accessibility and functionality, and reduced lag. It is as much a step on the way to a digital identity as the invention of the postal service.

As telephone numbers have moved from being a many-one identity-mapping (a family phone) to a one-many (cell phone, desk phone, home phone, work phone etc) a whole host of complexities have arisen in the associated service features take management for example – think back 20 years , and you may have had a little notepad with phone numbers that you would read and manually enter via a dial (that made a strangely satisfying ratcheting sound as you entered the numbers.) to have a conversation with a friend. You may have had an address.

Now you have a digital record with the person’s name, a list of contact mechanisms, msn, Skype, aol, possibly a photo. There may be a website, a blog, and a hodgepodge of other information whose usage will be driven by the type of interaction you are looking to have with the person. , I’m sure it won’t be long before calendar integration and a GPS location will be standard too (If you are reading this and thinking brilliant idea, can I suggest using fireeagle). Given this increase in complexity, the onus is moving from a pull mechanism (how can I access you) to a push mechanism (how can you access me – facebook, linkedin etc) – and you touched on this with your article about personal queues (great idea – implement it as a linkedin/facebook app)- my queue would be as much part of my digital identity and potentially, the identity mapping, as my phone number or email address. The point I am trying to make here is that your digital identity is as much about management of the data you make available about yourself as the communication mechanisms used to exploit them, and thus the telephone number is too simple and bland an object to represent the entirety of even an early digital identity.

So in summary I would propose that the telephone might not be a digital identity – but an evolutionary step in a hierarchy of connection mechanisms that maps communication channels to an individual.

On a separate note, where I think the .tel domain justifies its existence (based on the large assumption, that a certain friend I was having a drink with a few nights ago is wrong; and it is not a cynical land-grab to generate additional revenue for a bureacracy that like most bureaucracies seeks to perpetuate itself and increase its power/wealth (OK it wasn’t that extreme)) is that it is a proven management system that will facilitate the introduction of a limited service that lazy programmers will understand how to use, without needing to know how it works, lazy management will see the value of, and not understand its limitations or replicability through more sophisticated yet harder to understand proposals, allow real applications to collect identity-mapping data about objects.

It’s probably worth touching on the role of SSNs in identity management. They’re probably not an awful candidate for UIDs (and hence for IBE public keys – just like email adresses and OpenIDs). The trouble is that early implementers treated them as shared secrets. So somebody mixed up their public keys for their private keys. We should probably forgive them however, as public key crypto wasn’t invented when that decision was made.

In 1943, many, many household did not have telephones and placing a call meant first contacting an operator to manually patch you through (talk about expensive NAT devices!).

You alluded to Unified Communications which promises a single, email-ish identity fronting numerous “modes” of contact from voice to fax to IM. We’ll see how it plays out in the real world. SIP has its own share of security issues. Perhaps a future blog post will explore.