As Featured on GSN: Government Security News
The following noteworthy identity management statement comes from the Cyberspace Policy Review issued last year by President Obama:
“Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.”
To be clear, I am an avid opponent of “anonymity for all” on the web. I do not think it is in our common interest to have anonymous communication in the public sector. I know that I will draw the ire of many who view the Internet as a constitutional right, but I persist with this view because the very nature of our constitution provides for the free and open exchange of ideas in the public forum. With this protection in place why would we need anonymity given the extreme handicap that it places on us in processing information?
Opinions or ideas or concepts only have value based on the reputation of its advocates. Therefore, identity is important in lending credence to one’s views. Do you have the appropriate domain of expertise to warrant someone paying attention to you at all? Clearly, identity is an important part of our human dialogue as it is the basis for our assessments on credibility and degrees of trust that we assign to our interactions. Why do we forego it on the internet?
What should be unacceptable is the idea of an overarching government taking control of this process. Our government should not be concerned with anyone’s identity in the public forum, but the public forum should. Anyone willing to stand up in the public square does so with the knowledge that he or she will be judged based on their credentials. In fact, it is their credentials that help to make their case. Picture Charles Manson in one corner talking about morality and then imagine the Dalai Lama on the next corner doing the same. Can you imagine a different perspective on the part of listeners based on knowing something about who each of these people are?
Identity is important! And what is more important is that people should require identity in order to process ideas, but know that identity does not need to be absolute. We do not need to know everything about the Dalai Lama in order to weigh his thoughts on compassion. We do not need to know where he banks, or even where he lives. We need only know those aspects that pertain to his opus in that area. The last thing we need is a government-sponsored “matrix” of identification with respect to ideas because, per the constitution, the government is the one entity that should not care. So how should identity be handled in the age of cloud computing?
Cloud of Identities
For cloud implementations to have any meaningful contribution to the advancement of intelligence identity has to be more than a username and authentication has to be more than a password. This includes all the extensions of that paradigm, including “n” factor authentication and certificate based tokens, where relying on systems to authenticate us is absolutely out of context with the 21st century demands. It’s time for a whole new approach that will enable the application layer to then enable cloud computing.
Under the current regiment, around since the dawn of computers, a username is something that you make up. Given the standalone system-centric nature of early computers that was adequate, I suppose. You could have left the system up and open and anyone who walked up to it could operate it if they knew how, but if they didn’t know they could probably mess things up. So, access had to be restricted by having individual usernames. Then, to add another level of restriction to the process, they added passwords.
Note the use of the term restriction. That’s all that username/password allows for. It’s like a key to a car. It doesn’t identify you it just means that access will be restricted to those who can get their hands on the key, whether specifically authorized by the owner of the car or not. It is not the equivalent of identity, but the new world order requires identity. Now, let’s take a look at the concept of identity.
Law of Identity
We humans operate on identity. Without it not much would be possible. Life wouldn’t even be possible because identity is built into our biology. Newborns cannot survive if they don’t identify either with the birth mother – in the case of mammals – or specie-specific behaviors in other life forms. For humans, the process of identity starts before birth because an unborn child can feel and hear and even see a certain amount of light. After birth, a newborn must identify with its mother or perish (notwithstanding artificial means of sustainment offered by technology). At any rate, without a firm sense of identity and attachment it has been shown that infants don’t develop very well. As we grow we acquire greater and greater capabilities around identity. Who do we trust? How much will we share? What do we believe? What evidence do we require and how do we vet such evidence? An interesting note is that even with a lifelong engagement in the discipline of identification, we can still be fooled by cons and frauds. So identity is not an easy task at any point in the human experience. Still, we do a pretty good job and in the aggregate we have a pretty low risk as a result.
AI: Artificial Identity
What is the record of computers in identifying users? Not very impressive. Computers don’t identify people nor do they lend credence to information. Remember, they just allow anyone who has the right username/password to enter without any assessment of identity, and they pass along information without regard to context or social expectations. The internet is the same because anywhere you go; you simply have to have the right key for the door to walk in. The system doesn’t care who you are.
So how do we make this interaction more human? Is it possible to get away from the system-centric gateway approach and move to a more organic interactive identity structure? I think so and I think the key lies in opening the technology between users so that they can apply their identity talents to the interface.
The Sixth Sense
Heresy you say? People in an organic setting have an open environment. Why shouldn’t people in an online environment have an open setting? Remember, my position is that people are the engine of identity management rather than the system. But clearly, people need a sixth sense in order to work in this environment. Our standard five senses are not applicable. We need a virtual sense, maybe even more than one. The trick is to allow open interaction among people with respect to a group. There are things that we do online that are for public consumption and there are other things that have more restricted audiences.
In organic settings, we have ways to manipulate our environment to allow us to have varying degrees of privacy with respect to a given audience. In cyberspace we do not have this ability. What’s more, we do not have the ability to connect users and data in a manner that allows users to chain specific authorizations from one person to another in a manner that captures the scope and context of that authorization. Data has to have an identifiable source, be owned (private), or not owned (public), or specifically authorized (owned with digital rights assigned) in order to do what we need to transform our thinking about access control. Anything else makes the concept of cloud computing as simple as putting the infrastructure we’ve built over the last 40 years into a remote data center and paying for access to it. This only works for information you don’t really care about. For information you do care about, your cost (both direct and indirect through increased risk) will skyrocket just like the cost of health care has skyrocketed when we outsourced it to “managed care” providers 40-years ago. We need transparent principles of least access (POLA) built into applications and the user-data relationship at very granular levels. POLA simply stated gives access to only the resources needed to perform a particular task. While there are a few brave researchers testing the waters, there is precious little effort in the cloud initiatives toward this.
It is not enough to say that these are accepted limitations of cyber space or that we have a “right to annonymity” in cyber space. Just like the Y2K problem, they are limitations that we have created and we can create the remedies as well. We should all have the means to know with whom we are communicating in cyberspace and we should have the means to control the access that we authorize to our information based on that knowledge, whether it be an individual or a group or organizationl entity. We need to know how they know about us and what their social context is with respect to us. We don’t talk to total strangers on the street without applying at least some basic filters. Why should we do so in cyberspace?
Share this article!